diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index e5cf68c2d..cc314e616 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -95,7 +95,7 @@ jobs: # in a different workflow. # See https://github.com/actions/download-artifact/issues/172 - name: Retrieve built PHAR - uses: dawidd6/action-download-artifact@v3 + uses: dawidd6/action-download-artifact@v5 with: github_token: ${{secrets.GITHUB_TOKEN}} workflow: release.yaml @@ -150,7 +150,7 @@ jobs: # in a different workflow. # See https://github.com/actions/download-artifact/issues/172 - name: Retrieve built PHAR - uses: dawidd6/action-download-artifact@v3 + uses: dawidd6/action-download-artifact@v5 with: github_token: ${{secrets.GITHUB_TOKEN}} workflow: release.yaml diff --git a/.github/workflows/requirement-checker.yaml b/.github/workflows/requirement-checker.yaml index 14d2e1e53..330d34b99 100644 --- a/.github/workflows/requirement-checker.yaml +++ b/.github/workflows/requirement-checker.yaml @@ -227,7 +227,7 @@ jobs: # in a different workflow. # See https://github.com/actions/download-artifact/issues/172 - name: Retrieve built PHAR - uses: dawidd6/action-download-artifact@v3 + uses: dawidd6/action-download-artifact@v5 with: github_token: ${{secrets.GITHUB_TOKEN}} workflow: release.yaml diff --git a/composer.lock b/composer.lock index 26d9a110e..da0b21cbe 100644 --- a/composer.lock +++ b/composer.lock @@ -867,16 +867,16 @@ }, { "name": "composer/pcre", - "version": "3.1.1", + "version": "3.1.3", "source": { "type": "git", "url": "https://github.com/composer/pcre.git", - "reference": "00104306927c7a0919b4ced2aaa6782c1e61a3c9" + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/pcre/zipball/00104306927c7a0919b4ced2aaa6782c1e61a3c9", - "reference": "00104306927c7a0919b4ced2aaa6782c1e61a3c9", + "url": "https://api.github.com/repos/composer/pcre/zipball/5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", + "reference": "5b16e25a5355f1f3afdfc2f954a0a80aec4826a8", "shasum": "" }, "require": { @@ -918,7 +918,7 @@ ], "support": { "issues": "https://github.com/composer/pcre/issues", - "source": "https://github.com/composer/pcre/tree/3.1.1" + "source": "https://github.com/composer/pcre/tree/3.1.3" }, "funding": [ { @@ -934,7 +934,7 @@ "type": "tidelift" } ], - "time": "2023-10-11T07:11:09+00:00" + "time": "2024-03-19T10:26:25+00:00" }, { "name": "composer/semver", @@ -1019,16 +1019,16 @@ }, { "name": "composer/xdebug-handler", - "version": "3.0.4", + "version": "3.0.5", "source": { "type": "git", "url": "https://github.com/composer/xdebug-handler.git", - "reference": "4f988f8fdf580d53bdb2d1278fe93d1ed5462255" + "reference": "6c1925561632e83d60a44492e0b344cf48ab85ef" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/4f988f8fdf580d53bdb2d1278fe93d1ed5462255", - "reference": "4f988f8fdf580d53bdb2d1278fe93d1ed5462255", + "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/6c1925561632e83d60a44492e0b344cf48ab85ef", + "reference": "6c1925561632e83d60a44492e0b344cf48ab85ef", "shasum": "" }, "require": { @@ -1065,7 +1065,7 @@ "support": { "irc": "ircs://irc.libera.chat:6697/composer", "issues": "https://github.com/composer/xdebug-handler/issues", - "source": "https://github.com/composer/xdebug-handler/tree/3.0.4" + "source": "https://github.com/composer/xdebug-handler/tree/3.0.5" }, "funding": [ { @@ -1081,7 +1081,7 @@ "type": "tidelift" } ], - "time": "2024-03-26T18:29:49+00:00" + "time": "2024-05-06T16:37:16+00:00" }, { "name": "daverandom/libdns", @@ -2903,16 +2903,16 @@ }, { "name": "symfony/finder", - "version": "v7.0.0", + "version": "v7.0.7", "source": { "type": "git", "url": "https://github.com/symfony/finder.git", - "reference": "6e5688d69f7cfc4ed4a511e96007e06c2d34ce56" + "reference": "4d58f0f4fe95a30d7b538d71197135483560b97c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/finder/zipball/6e5688d69f7cfc4ed4a511e96007e06c2d34ce56", - "reference": "6e5688d69f7cfc4ed4a511e96007e06c2d34ce56", + "url": "https://api.github.com/repos/symfony/finder/zipball/4d58f0f4fe95a30d7b538d71197135483560b97c", + "reference": "4d58f0f4fe95a30d7b538d71197135483560b97c", "shasum": "" }, "require": { @@ -2947,7 +2947,7 @@ "description": "Finds files and directories via an intuitive fluent interface", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/finder/tree/v7.0.0" + "source": "https://github.com/symfony/finder/tree/v7.0.7" }, "funding": [ { @@ -2963,7 +2963,7 @@ "type": "tidelift" } ], - "time": "2023-10-31T17:59:56+00:00" + "time": "2024-04-28T11:44:19+00:00" }, { "name": "symfony/polyfill-ctype", @@ -3365,16 +3365,16 @@ }, { "name": "symfony/process", - "version": "v7.0.4", + "version": "v7.0.7", "source": { "type": "git", "url": "https://github.com/symfony/process.git", - "reference": "0e7727191c3b71ebec6d529fa0e50a01ca5679e9" + "reference": "3839e56b94dd1dbd13235d27504e66baf23faba0" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/process/zipball/0e7727191c3b71ebec6d529fa0e50a01ca5679e9", - "reference": "0e7727191c3b71ebec6d529fa0e50a01ca5679e9", + "url": "https://api.github.com/repos/symfony/process/zipball/3839e56b94dd1dbd13235d27504e66baf23faba0", + "reference": "3839e56b94dd1dbd13235d27504e66baf23faba0", "shasum": "" }, "require": { @@ -3406,7 +3406,7 @@ "description": "Executes commands in sub-processes", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/process/tree/v7.0.4" + "source": "https://github.com/symfony/process/tree/v7.0.7" }, "funding": [ { @@ -3422,7 +3422,7 @@ "type": "tidelift" } ], - "time": "2024-02-22T20:27:20+00:00" + "time": "2024-04-18T09:29:19+00:00" }, { "name": "symfony/service-contracts", @@ -3594,16 +3594,16 @@ }, { "name": "symfony/var-dumper", - "version": "v7.0.6", + "version": "v7.0.7", "source": { "type": "git", "url": "https://github.com/symfony/var-dumper.git", - "reference": "66d13dc207d5dab6b4f4c2b5460efe1bea29dbfb" + "reference": "d1627b66fd87c8b4d90cabe5671c29d575690924" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/var-dumper/zipball/66d13dc207d5dab6b4f4c2b5460efe1bea29dbfb", - "reference": "66d13dc207d5dab6b4f4c2b5460efe1bea29dbfb", + "url": "https://api.github.com/repos/symfony/var-dumper/zipball/d1627b66fd87c8b4d90cabe5671c29d575690924", + "reference": "d1627b66fd87c8b4d90cabe5671c29d575690924", "shasum": "" }, "require": { @@ -3657,7 +3657,7 @@ "dump" ], "support": { - "source": "https://github.com/symfony/var-dumper/tree/v7.0.6" + "source": "https://github.com/symfony/var-dumper/tree/v7.0.7" }, "funding": [ { @@ -3673,7 +3673,7 @@ "type": "tidelift" } ], - "time": "2024-03-19T11:57:22+00:00" + "time": "2024-04-18T09:29:19+00:00" }, { "name": "thecodingmachine/safe", @@ -6157,16 +6157,16 @@ }, { "name": "symfony/yaml", - "version": "v7.0.3", + "version": "v7.0.7", "source": { "type": "git", "url": "https://github.com/symfony/yaml.git", - "reference": "2d4fca631c00700597e9442a0b2451ce234513d3" + "reference": "0d3916ae69ea28b59d94b60c4f2b50f4e25adb5c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/yaml/zipball/2d4fca631c00700597e9442a0b2451ce234513d3", - "reference": "2d4fca631c00700597e9442a0b2451ce234513d3", + "url": "https://api.github.com/repos/symfony/yaml/zipball/0d3916ae69ea28b59d94b60c4f2b50f4e25adb5c", + "reference": "0d3916ae69ea28b59d94b60c4f2b50f4e25adb5c", "shasum": "" }, "require": { @@ -6208,7 +6208,7 @@ "description": "Loads and dumps YAML files", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/yaml/tree/v7.0.3" + "source": "https://github.com/symfony/yaml/tree/v7.0.7" }, "funding": [ { @@ -6224,7 +6224,7 @@ "type": "tidelift" } ], - "time": "2024-01-23T15:02:46+00:00" + "time": "2024-04-28T11:44:19+00:00" }, { "name": "theseer/tokenizer", diff --git a/doc/phar-signing.md b/doc/phar-signing.md index 968053a4f..9c8b51b33 100644 --- a/doc/phar-signing.md +++ b/doc/phar-signing.md @@ -93,9 +93,10 @@ there is ways to void the signature: - Replace the signature used. An OpenSSL one will only make it slightly harder as this requires to change an external file (the public key), but in the context the attacker could inject code to the PHAR this is unlikely to be a real prevention measure. +- The entire signature check can be disabled via the [PHP ini setting `phar.require_hash`][phar-require-hash]. So to conclude, **this security mechanism CANNOT prevent modifications of the archive itself.** It is **NOT** a reliable -protection measure. +protection measure. It is merely a measure to prevent accidentally running a corrupted PHAR. The good news, there is a solution. @@ -390,5 +391,6 @@ Credits: [keys.openpgp.org]: https://keys.openpgp.org/about [github-environment-secrets]: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions [github-workflow]: https://docs.github.com/en/actions/using-workflows +[phar-require-hash]: https://www.php.net/manual/en/phar.configuration.php#ini.phar.require-hash [phive]: https://phar.io/ [jar]: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jarGuide.html