I will for better security configure apache to verify php scripts, which should be signed with my key. Is it possible? And is it possible not to serve not signed files?
Asked
Active
Viewed 82 times
1
-
It's a good question. It might be done by an Apache module, or possibly at the filesystem level. But I've never seen anything that does it. – Andrew Schulman Jan 07 '21 at 01:55
-
What is the threat you want to protect your scripts from? – Bob Jan 07 '21 at 13:00
-
@HermanB replacing or changing php scripts by attacker – Ishayahu Jan 07 '21 at 17:26
1 Answers
0
In essence Apache and PHP rely on the operating system and file system level access controls to protect the integrity of your files, scripts and code.
The assumption there is that if those get by-passed by unauthorised users you have bigger problems, can't rely on the system being aware of the fact that's been tampered with and should consider the whole system compromised. (And
attempts to protect the integrity of your files, scripts and code from trusted users are usually considered a losing proposition.)
PHP does not have any native support for code signing, I expect because that is the kind of technology that doesn't really work well in the Open Source ecosystems and thrives much more in closed platforms.
IIRC back in the day "Zend Guard" was a thing for signed and encrypted PHP that relied on a custom PHP "module" to allow that encrypted PHP to run. But that was never ported beyond PHP 5.6.
Currently there are AFAIK several PHP encoders/obfuscators that are designed to make reverse engineering and successful code changes more difficult achieve, but nothing equivalent to code signing.
Bob
- 5,805
- 7
- 25