From 9d56e7aa058a828ef24f879b3506dc61fb962238 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Fri, 16 Jun 2023 00:04:50 -0600 Subject: [PATCH 1/7] Fix phar building and testing on Travis-CI --- .travis.yml | 14 +++++++------- composer.json | 4 ++-- dist/Makefile | 2 +- dist/box.json | 3 --- dist/phar-testing-autoload.php | 4 ++++ docs/InternalDeveloperDocs.md | 2 +- 6 files changed, 15 insertions(+), 14 deletions(-) create mode 100644 dist/phar-testing-autoload.php diff --git a/.travis.yml b/.travis.yml index ffaefc0..24bd21e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,13 +42,13 @@ before_script: - phpenv config-add extra_php_config.ini script: - ./test.sh -# - mkdir /tmp/box -# - chmod 755 /tmp/box -# - curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box -# - chmod 755 /tmp/box/box -# - PATH="$PATH:/tmp/box/" which box -# - PATH="$PATH:/tmp/box/" make -C dist/ build-phar -# - ./test.sh dist/defuse-crypto.phar + - mkdir /tmp/box + - chmod 755 /tmp/box + - curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box + - chmod 755 /tmp/box/box + - PATH="$PATH:/tmp/box/" which box + - PATH="$PATH:/tmp/box/" make -C dist/ build-phar + - ./test.sh dist/phar-testing-autoload.php - if [[ $USE_PSALM -eq 1 ]]; then composer require --with-all-dependencies --dev "vimeo/psalm:dev-master"; fi - if [[ $USE_PSALM -eq 1 ]]; then composer install; fi - if [[ $USE_PSALM -eq 1 ]]; then vendor/bin/psalm; fi diff --git a/composer.json b/composer.json index 7f15ba0..29a1d52 100644 --- a/composer.json +++ b/composer.json @@ -26,8 +26,8 @@ "php": ">=5.6.0" }, "require-dev": { - "phpunit/phpunit": "^5|^6|^7|^8|^9|^10", - "yoast/phpunit-polyfills": "^2.0.0" + "yoast/phpunit-polyfills": "^2.0.0", + "phpunit/phpunit": "^5|^6|^7|^8|^9|^10" }, "bin": [ "bin/generate-defuse-key" diff --git a/dist/Makefile b/dist/Makefile index 833e479..bffe616 100644 --- a/dist/Makefile +++ b/dist/Makefile @@ -31,7 +31,7 @@ clean: defuse-crypto.phar: dist/box.json composer.lock cp dist/box.json . - php -d phar.readonly=0 $(box) build -c box.json -v + php $(box) compile -c box.json -v composer.lock: $(composer) config autoloader-suffix $(gitcommit) diff --git a/dist/box.json b/dist/box.json index f225f78..3c81e95 100644 --- a/dist/box.json +++ b/dist/box.json @@ -15,9 +15,6 @@ "exclude": "other" } ], - "compactors": [ - "Herrera\\Box\\Compactor\\Php" - ], "main": "vendor/autoload.php", "output": "defuse-crypto.phar", "shebang": false, diff --git a/dist/phar-testing-autoload.php b/dist/phar-testing-autoload.php new file mode 100644 index 0000000..433395a --- /dev/null +++ b/dist/phar-testing-autoload.php @@ -0,0 +1,4 @@ + diff --git a/docs/InternalDeveloperDocs.md b/docs/InternalDeveloperDocs.md index b68f710..5cac047 100644 --- a/docs/InternalDeveloperDocs.md +++ b/docs/InternalDeveloperDocs.md @@ -141,7 +141,7 @@ Test the `.phar`: ``` cd ../ -./test.sh dist/defuse-crypto.phar +./test.sh dist/phar-testing-autoload.php ``` Sign the `.phar`: From ae6d412def864bcb58549920a9cd8dc3ce5cb13c Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Sun, 18 Jun 2023 20:58:30 -0600 Subject: [PATCH 2/7] Add phar phpunit test cache to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 33fd704..5e47134 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,5 @@ box.phar phpunit.phar phpunit.phar.asc test/unit/File/tmp +test/.phpunit.result.cache .idea From d65dca2e1a7773407175ca0f5c24bc87b29fe286 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Sun, 18 Jun 2023 22:15:49 -0600 Subject: [PATCH 3/7] Restrict phar building and testing to PHP 8.1+; users of older PHP versions should use the phar from older releases of this library --- .travis.yml | 58 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/.travis.yml b/.travis.yml index 24bd21e..e8d1dac 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,30 +5,52 @@ matrix: fast_finish: true include: - php: "5.6" - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "7.0" - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "7.1" - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "7.2" - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "7.3" - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "7.4" - env: USE_PSALM=1 + env: + - USE_PSALM=1 + - BUILD_PHAR=0 - php: "8.0" # psalm currently doesn't like our \[#SensitiveParameter]s - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=0 - php: "8.1" # psalm currently doesn't like our \[#SensitiveParameter]s - env: USE_PSALM=0 + env: + - USE_PSALM=0 + - BUILD_PHAR=1 - php: "8.2" - env: USE_PSALM=1 + env: + - USE_PSALM=1 + - BUILD_PHAR=1 dist: focal - php: "nightly" - env: USE_PSALM=1 + env: + - USE_PSALM=1 + - BUILD_PHAR=1 - php: "hhvm" - env: USE_PSALM=1 + env: + - USE_PSALM=1 + - BUILD_PHAR=1 allow_failures: - php: "nightly" - php: "hhvm" @@ -42,13 +64,13 @@ before_script: - phpenv config-add extra_php_config.ini script: - ./test.sh - - mkdir /tmp/box - - chmod 755 /tmp/box - - curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box - - chmod 755 /tmp/box/box - - PATH="$PATH:/tmp/box/" which box - - PATH="$PATH:/tmp/box/" make -C dist/ build-phar - - ./test.sh dist/phar-testing-autoload.php + - if [[ $BUILD_PHAR -eq 1 ]]; then mkdir /tmp/box; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then chmod 755 /tmp/box; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then chmod 755 /tmp/box/box; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then PATH="$PATH:/tmp/box/" which box; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then PATH="$PATH:/tmp/box/" make -C dist/ build-phar; fi + - if [[ $BUILD_PHAR -eq 1 ]]; then ./test.sh dist/phar-testing-autoload.php; fi - if [[ $USE_PSALM -eq 1 ]]; then composer require --with-all-dependencies --dev "vimeo/psalm:dev-master"; fi - if [[ $USE_PSALM -eq 1 ]]; then composer install; fi - if [[ $USE_PSALM -eq 1 ]]; then vendor/bin/psalm; fi From a4265d0e4d690d58a18f17dd6f2b21e1d74639b6 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 00:10:18 -0600 Subject: [PATCH 4/7] Final changes for the v2.4.0 release --- README.md | 2 +- docs/InternalDeveloperDocs.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 499b592..1394d31 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ support](https://www.php.net/supported-versions.php), which at the time of writing means PHP 8.0 or later. Using this library with an unsupported version of PHP could lead to security vulnerabilities. -The current version of `php-encryption` is v2.3.1. This library is expected to +The current version of `php-encryption` is v2.4.0. This library is expected to remain stable and supported by its authors with security and bugfixes until at least January 1st, 2024. diff --git a/docs/InternalDeveloperDocs.md b/docs/InternalDeveloperDocs.md index 5cac047..75d4a2c 100644 --- a/docs/InternalDeveloperDocs.md +++ b/docs/InternalDeveloperDocs.md @@ -111,7 +111,7 @@ Check out the branch you want to release: git checkout ``` -Check that the version number in composer.json is correct: +Check that the version number in composer.json is correct (or not specified so that it gets picked up from the git tag): ``` cat composer.json From bb5c9cbad00974058a1d3660c5c96d40a0b68bdc Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 01:13:23 -0600 Subject: [PATCH 5/7] fix signing key links in README --- README.md | 12 ++++++------ dist/{signingkey.asc => signingkey-old.asc} | 0 2 files changed, 6 insertions(+), 6 deletions(-) rename dist/{signingkey.asc => signingkey-old.asc} (100%) diff --git a/README.md b/README.md index 1394d31..e797955 100644 --- a/README.md +++ b/README.md @@ -99,22 +99,22 @@ a formal audit, please [contact Taylor Hornby](https://defuse.ca/contact.htm). Public Keys ------------ -The GnuPG public key used to sign current and older releases is available in -[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey.asc). Its fingerprint is: +The GnuPG public key used to sign the current and new releases is available in +[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: ``` -2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 +6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 ``` You can verify it against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and [twitter](https://twitter.com/DefuseSec/status/723741424253059074). -Due to the old key expiring, new releases will be signed with a new public key -available in [dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: +Older releases were signed with a (now-expired) available in +[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). The old key's fingerprint is: ``` -6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 +2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 ``` A signature of this new key by the old key is available in diff --git a/dist/signingkey.asc b/dist/signingkey-old.asc similarity index 100% rename from dist/signingkey.asc rename to dist/signingkey-old.asc From 26e84756471861c92b3469b588c4016498adfa72 Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 01:14:35 -0600 Subject: [PATCH 6/7] actually fix the signging key links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e797955..23e3338 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Public Keys ------------ The GnuPG public key used to sign the current and new releases is available in -[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: +[dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is: ``` 6DD6 E677 0281 5846 FC85 25A3 DD2E 507F 7BDB 1669 @@ -111,7 +111,7 @@ page](https://defuse.ca/contact.htm) and [twitter](https://twitter.com/DefuseSec/status/723741424253059074). Older releases were signed with a (now-expired) available in -[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). The old key's fingerprint is: +[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-old.asc). The old key's fingerprint is: ``` 2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 From 9b77beb6e1cd997aecfd2392849db5afab128b5e Mon Sep 17 00:00:00 2001 From: Taylor Hornby Date: Mon, 19 Jun 2023 11:10:37 -0600 Subject: [PATCH 7/7] Fix links to fingerprint verification sources in README --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 23e3338..0e76317 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ The GnuPG public key used to sign the current and new releases is available in You can verify it against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and -[twitter](https://twitter.com/DefuseSec/status/723741424253059074). +[twitter](https://twitter.com/DefuseSec/status/1670840796743081984). Older releases were signed with a (now-expired) available in [dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-old.asc). The old key's fingerprint is: @@ -117,5 +117,8 @@ Older releases were signed with a (now-expired) available in 2FA6 1D8D 99B9 2658 6BAC 3D53 385E E055 A129 1538 ``` +The old key's fingerprint can be verified against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and +[twitter](https://twitter.com/DefuseSec/status/723741424253059074). + A signature of this new key by the old key is available in [dist/signingkey-new.asc.sig](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc.sig).