Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matthew Weier O'Phinney:
Secure PHAR Automation
Dec 15, 2015 @ 12:32:54

There's always been an issue with the creation of Phar packages in PHP and the security around them. There's been recommendations about creating signatures and only using secure connections for updates and rollbacks. Unfortunately there isn't an overly easy way to handle this yet. However, Matthew Weier O'Phinney has written up a post showing his workflow for doing these kinds of things, making use of the Box project to help with some of the more detailed parts.

For a variety of reasons, I've been working on a utility that is best distributed via PHAR file. As has been noted by others (archive.is link, due to lack of availability of original site), PHAR distribution, while useful, is not without security concerns, and I decided to investigate how to securely create, distribute, and update PHAR utilities as part of this exercise.

This is an account of my journey, as well as concrete steps you can take to secure your own PHAR downloads.

He starts by outlining the "roadmap" of the features he wants to include and the steps to take to create this more secure phar archive. It includes the use of both current, local tools and services (like Box and GitHub pages). He then walks through the steps in the full process:

  • Create an OpenSSL Key
  • Use Box to create the PHAR
  • Generate a version file
  • Create the gh-pages branch
  • Write self-update/rollback commands
  • Enable Travis-CI for the repository
  • Create an SSH deploy key
  • Archive and encrypt the secrets
  • Write a deployment script
  • Add the script to travis

While this seems like a lot of steps to just get a more secure phar set up, Matthew has done the hard work for you here and includes all of the commands, configuration examples and steps you'll need to take to fully set the process up. If all goes well, his example in his last "push and watch it work" section will go off without a hitch.

tagged: phar archive security signed https update rollback travisci tutorial

Link: https://mwop.net/blog/2015-12-14-secure-phar-automation.html

PHPMaster.com:
Create Digital Tickets with PHP and Apple Passbook
May 30, 2013 @ 09:11:36

On PHPMaster.com today there's a new tutorial showing you how to create digital tickets using PHP and the Apple Passbook service.

Why should we PHP warriors care at all about Apple’s Passbook? Well first because Apple made this technology open (well, sort of…), second because it can be used outside iOS devices, and third because it involves a lot of well-known and loved technologies like JSON and RESTful APIs. I’d also add that it’s a very interesting piece of technology, but that’s my personal opinion. In this article I’ll show you how I built a sample web application that creates and distributes passes in the form of a “PHPMaster Membership Card”. It is not a full-featured product, but it’s a nice base to build on for more serious real world uses.

He talks about the concept of a "pass" (a digitally signed document that can be easily distributed) and the types that the Apple service lets you make. His example (sample code here) is Silm based and Idorim & Paris for the data handling. He talks some about the certificate handling that's involved and the structure of the application including the certs, application code, templates and images. He then works through the code step-by-step and explains what each part does and how it connects with Apple's service to generate the pass.

tagged: apple passbook tutorial ticket digital signed certificate

Link: http://phpmaster.com/create-digital-tickets-with-php-and-apple-passbook

Paul Reinheimer's Blog:
Mini PHP Contest
Oct 09, 2006 @ 16:57:00

Do you have your own interesting project kicking around you've been working on but hasn't gotten much notice. Well, you might want to check out this mini-contest that Paul Reinheimer is doing to help bring more of them to light.

I've made a small post to the general forum at PHP|Arch asking people to post a link to any side projects they might be currently working on.

The author (or authors) of the one(s) i like best will receive a free copy of my book, signed if so desired. Anyways, I'm just asking for a link to whatever you're working on already, so there's no effort required, go post!

The only comment so far in the forum post is Paul's own, but he talks about his imageBoxer script that combines images in a directory into a collage dynamically.

tagged: contest book signed project contest book signed project

Link:

Paul Reinheimer's Blog:
Mini PHP Contest
Oct 09, 2006 @ 16:57:00

Do you have your own interesting project kicking around you've been working on but hasn't gotten much notice. Well, you might want to check out this mini-contest that Paul Reinheimer is doing to help bring more of them to light.

I've made a small post to the general forum at PHP|Arch asking people to post a link to any side projects they might be currently working on.

The author (or authors) of the one(s) i like best will receive a free copy of my book, signed if so desired. Anyways, I'm just asking for a link to whatever you're working on already, so there's no effort required, go post!

The only comment so far in the forum post is Paul's own, but he talks about his imageBoxer script that combines images in a directory into a collage dynamically.

tagged: contest book signed project contest book signed project

Link: