2016-03-11 128 views
2

我需要安裝PHP作曲家,但我不準備curl | php,我想驗證下載的軟件包是否符合簽名或校驗和。PHP作曲家下載簽名驗證

該網站上的download links是我想要去的方式。開發者也在網站上發佈了他們的public keys。並且在$ {download} .sig中有可用的包簽名(通過查找它們可以找到它們),但我無法弄清楚如何使用這些簽名進行驗證。

例如,這些都是當前最新葯業和SIG文件:

的簽名文件包含:

{"sha384":"FGC1jaYN4TCnaaeha3aeHx1W8gn/GyBaNk09TEOxLXjhWdwFb7psJBtZgXEsrq1Sm0J91j3l2AZDWofQ1s1FHD6A4cZY5H2KQ7KleqIFmDWDVyASHc6tjvaPtlQJ4BCVJEOPsRHX2NTH1roCs48t7S+MbVj5j5K8oVggEw9IOG4uurABUiadOLj/gQ3UpXz1+oflkr358qCkQuUW2upMuHDto8BNLSDYrCLgct1i8aCTCgKo6BYMBGSZxQdGY/dDyRX6rHbR1/CzfJmECgA9qGgeXxDRyjFg/93wsQfuFPCijd6vTpRmsFKYpwfQXMult8t+0mPh4PcvX1GzKtYcLxmsA2MmyPVfX80KtGp2EF5ExRAxOqZtd3ZtwqqOxUeNUfESKrXif1v0PxVGlER4KX5MBvCH9UvwwUPOzyplJ8N+4ybtNGfHiOD3MpPsiVBVoWkQouI5qbHRT39kAGKfMQBDWounrwMGGQV2Ca2/bFMcnInYkXFyLD12yekluoktpBcyFyZcHOJXXbbMGeXLZn3cepBwneUPklB4Q6zkouIdCkZZIzyOkLp4XgCP55idmD+DNmeoaGNlqDJmN+2wTWQv5GBj9DEEXBFHZ5f4hfn6ZEYWO7GlgOz0YeijuknvtvdCR+Iqr3Vn72UKhtoBQd2L74YwzCG/4CBYhGtknMc"} 

此簽名的主體似乎是base64編碼,但解碼的只要成爲sha384校驗碼就可以了。它似乎也不是GPG簽名。

如何驗證軟件包?

回答

3

sign script可以在GitHub上找到,幷包含下面的代碼:

openssl_sign(file_get_contents($_SERVER['argv'][1]), $sha384sig, $pkeyid, OPENSSL_ALGO_SHA384) 
// ... 
$sha384sig = trim(base64_encode($sha384sig), '='); 

所以它的簽名確實是一個base64編碼SHA384校驗和。


請注意,用於下載作曲家phar的安裝程序也會檢查簽名。 It's code也可以在GitHub上找到:

$signature = $httpClient->get($url.'.sig'); 
if (!$signature) { 
    out('Download failed: '.$errorHandler->message, 'error'); 
} else { 
    $signature = json_decode($signature, true); 
    $signature = base64_decode($signature['sha384']); 
} 

// ... 

if (false === $disableTls) { 
    $pubkeyid = openssl_pkey_get_public('file://'.$home.'/' . ($version ? 'keys.tags.pub' : 'keys.dev.pub')); 
    $algo = defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'SHA384'; 
    if (!in_array('SHA384', openssl_get_md_methods())) { 
     out('SHA384 is not supported by your openssl extension, could not verify the phar file integrity', 'error'); 
     exit(1); 
    } 
    $verified = 1 === openssl_verify(file_get_contents($file), $signature, $pubkeyid, $algo); 
    openssl_free_key($pubkeyid); 
    if (!$verified) { 
     out('Signature mismatch, could not verify the phar file integrity', 'error'); 
     exit(1); 
    } 
}