Howto: Package Signing

Generate a private key

See man genrsa for more information, but the following should usually do:

█ http.git<git=master...origin/master>$ openssl genrsa -aes256 -out pecl_http.key 2048

Output:

Generating RSA private key, 2048 bit long modulus
...................................+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for pecl_http.key:
Verifying - Enter pass phrase for pecl_http.key:

You now should have a private key in PEM format stored in the file pecl_http.key ready to use for signing pecl_http PHARS. You only have to generate this key once, as long as it is not disclosed, so keep it offline.

Build the signed PHAR

Specify -S or --sign and the private key to use to sign the PHAR:

█ http.git<git=master...origin/master>$ ./vendor/bin/pharext -vps . --sign pecl_http.key

Output:

Creating phar /var/folders/_m/gz8t5ljn43d0hbk5x0cfs12r0000gn/T/54febe076a0e7.phar ...

Using private key to sign phar ...
Password:
Packaging /Users/Mike/Sources/http.git/raphf-1.0.5.ext.phar
Packaging /Users/Mike/Sources/http.git/propro-1.0.1.ext.phar
Packaging pharext_install.php
Packaging [...lots of other files that have been stripped from the output...]
Created executable phar /var/folders/_m/gz8t5ljn43d0hbk5x0cfs12r0000gn/T/54febe076a0e7.phar
Finalizing ./pecl_http-2.4.0dev.ext.phar ... OK
Public Key ./pecl_http-2.4.0dev.ext.phar.pubkey ... OK

Distribute the public key alongside with your PHAR, or else the users won’t be able to run the installer.

• Table Of Contents
• Home
• Howto: Package Dependencies
• Howto: Package Signing
• Packager hook
• Privacy Policy
• Public key
• Usage of *.ext.phar packages
• Usage of the pharext packager