Skip to content


Subversion checkout URL

You can clone with
Download ZIP
PharUtil - Security-oriented utilities for Phar archives
PHP Shell
Tag: v0.1.0

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.

PharUtil - Security-oriented utilities for Phar archives

Utilities for building, signing and verifying Phar archives with OpenSSL public/private key. Using this library you could distribute the code (e.g. plugins, skins) to remote PHP applications over HTTP and, thanks to signing, remove the risk of Arbitraty Remote Code Execution in those applications.

If you're not interested in remote deployment, you could always use included phar-build script to build a Phar archive from a given source directory.

Author: Krzysztof Kotowicz - kkotowicz at gmail dot com

License: MIT

Source code: github

PEAR channel server:


Phar archives, though they have many superb features for a PHP developer, have a certain limitation when it comes to their security - although standard Phar file can be signed, the key used to verify the signature (i.e. the public key) must be stored alongside the archive. Moreover, the signature verification process is hardcoded and does not allow you to supply the public key by yourself.

These problems make it difficult to use Phar archives to distribute a trusted code to clients, because both the key and code are stored on the server - attacker could use e.g. DNS spoofing to emulate the server and supply the code without any signature or using his own pair of keys. Because of that, Standard Phar extension does not allow including remote (e.g. HTTP://) Phar archives to avoid the old security vulnerability of remote code execution (see e.g. allow_url_fopen and allow_url_include discussion).

To mitigate this, the PharUtil library uses a different method:

  • the key used to verify the signature is stored on a client (shared-secret) and is never transferred over-the-wire
  • all code is downloaded to the local client cache and is verifed using the stored code
  • after verification the local cached file could be included and loaded (no allow_url_open restrictions)

For a more detailed view of different methods of including remote code see (and why should you care at all), see Hardening PHP: How to securely include remote code

Usage scenario

Usage scenario is as follows:

On server (publisher):

  1. Create public / private keys with Open SSL (see cert/README)
  2. On a server build a code (see example/build.php) and sign it using your private key.

You may use the built archive on a server like any other Phar archive (see example/local.php)

On client (consumer):

  1. Prepare a copy of public key (cert/pub.pem) for signature verification
  2. Download a code (Phar archive) from the server
  3. Verify Phar signature using your copy of public key (to be sure that the code has been generated by trusted entity)
  4. Include and run the Phar archive in your application

4,5,6 - see remote.php.

Mentioned files are installed in example subdirectory of PEAR package documentation (e.g. /usr/share/php/docs/PharUtil/example).

Disclaimer: For the security of given method, it is critical to never disclose the private key! This method also doesn't protect anyone from looking AT the code - the code is not encrypted, it is only signed so it cannot be changed by third party.


To be able to use the project, you must have the Phar v2.0.0 PHP extension. and have a working OpenSSL in PHP. If you're using PHP >= 5.3.0, Phar is already built for you, for older versions you must build it from pecl.

E.g. under Ubuntu, these steps are required to build and configure the Phar extension:

$ sudo apt-get install php5-dev
$ sudo pecl install pecl/phar
$ echo "" | sudo tee /etc/php5/conf.d/phar.ini
$ echo "phar.readonly=0" | sudo tee -a /etc/php5/conf.d/phar.ini

(the last line is needed on the server only and for security reasons should NOT be executed on client)

Install the library through PEAR installer: $ sudo pear channel-discover $ sudo pear install kotowicz/PharUtil-beta

Building a Phar archive

  • Generate certificates in cert/ directory (will be put in priv.pem and pub.pem) $ mkdir cert/ $ cd cert/ $ phar-generate-cert
  • Create src/ directory and copy all the files to build the archive from there
  • Build a signed phar archive $ phar-build --phar library.phar
  • Copy public key to a client

Using the archive locally

Just use it like a normal Phar archive

include_once 'phar://path/to/library.phar';

Using the archive on the client

Use PharUtil_RemotePharVerifier class to securely check for the Phar signature before using the archive.


// all verified Phars will be copied to lib/ directory
$verifier = new PharUtil_RemotePharVerifier('/tmp', './lib', './cert/public.pem');
try {
  $verified_file = $verifier->fetch("");
} catch (Exception $e) {
 // verification failed

// $verified_file contains absolute filepath of a downloaded file
// with signature verified from './cert/public.pem'
include_once $verified_file;
// or
include_once 'phar://' . $verified_file . '/some/file/within.php';
// or
echo file_get_contents('phar://' . $verified_file . '/readme.txt');


Krzysztof Kotowicz - kkotowicz at gmail dot com

Something went wrong with that request. Please try again.