Forwarded to devs Phar Binary broken signature (PHP 7.1 - 8.2)

[hschramm]

Username: hschramm

TITLE

Phar Binary broken signature (PHP 7.1 - 8.2)

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

PLESK Obsidian, 18.0.49.1, Debian Buster (10), 64 Bit

PROBLEM DESCRIPTION

Running the phar Cli results in a stack trace error

PHP Fatal error:  Uncaught PharException: phar "/opt/plesk/php/8.0/bin/phar.phar" SHA1 signature could not be verified: broken signature in /opt/plesk/php/8.0/bin/phar.phar:57
Stack trace:
#0 /opt/plesk/php/8.0/bin/phar.phar(57): Phar::mapPhar()
#1 {main}
  thrown in /opt/plesk/php/8.0/bin/phar.phar on line 57

This happens accross all versions beginning from 7.1 to 8.2

STEPS TO REPRODUCE

Run the phar cli binary like

/opt/plesk/php/8.0/bin/phar

More tests:
To assure that it is not a local installation problem, I downloaded the plesk-php-cli package via wget, extracted it, and run the extracted phar binary. It results in the same error

ACTUAL RESULT

Not working, signature is broken

EXPECTED RESULT

working

ANY ADDITIONAL INFORMATION

(DID NOT ANSWER QUESTION)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

Hi @hschramm, thank you, I'm seeing the same on my CentOS. The issue has been reported as [PPS-13787].

 

[azurro]

this may be related to the openssl version in use, resp. the ciphers accepted.

on newer os (like almalinux 9 resp. centos) this error is caused by the default crypto policies applied.
in this case openssl does neither create nor verify sha1 signatures.

a quick workaround is to switch to weak, but compatible crypto policies with:

# update-crypto-policies --show
DEFAULT  
(note this to restore later)

# update-crypto-policies --set LEGACY

final fix is to recreate the signed phar with a supported and stronger signature cipher.