Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Sculpin Blog:
Deprecating Phar Distribution and Embedded Composer
Sep 02, 2016 @ 12:18:29

On the Sculpin blog Beau Simensen has posted an update about a change in how the project will be released in the future, most notably deprecating the phar release and switching to an embedded Composer installation.

If you are currently using a globally installed phar distribution for Sculpin you should migrate to a per-project Composer installed version of Sculpin as soon as you can. [...] Any plans for Sculpin 3 would have required reworking the phar build and distribution process

In typical programmer fashion, I let myself get bogged down in the details of eventually needing to deploy Sculpin 3 phar builds rather than working on Sculpin 3. What little time I had to spend on Sculpin last year was sunk on solving this problem. [...] The last officially available Sculpin phar is not compatible with PHP 7.

He talks about his earlier goals to make v3 of Sculpin PHP 7-only but, in the process of the work to get to that point, several roadblocks came up preventing it. He talks about self-updating phars and finally realizing that, for the good of the project, a move to the embedded Composer setup is the best method for keeping dependencies in sync. He ends the post with the steps you'll need to take to migrate from the phar release to the managed version and an example commit of how the Sculpin site itself was migrated.

tagged: sculpin static generator project phar embedded composer update

Link: https://blog.sculpin.io/2016/08/31/deprecating-phar-distribution-and-embedded-composer

Christian Weiske:
Running a phar without .phar extension
Dec 18, 2015 @ 11:18:13

Christian Weiske has a quick tip posted to his site for those using phar archives in PHP and how to remove the .phar extension and still have them execute correctly.

I'm shipping a new side project as .phar file, php-sqllint.phar. The phar stub has a shebang line so that I can call it without explicitly running PHP. [...] When making the file executable with chmod +x, you can simply execute it.

He wanted to remove the extension but was greeted with an error message when he tried to execute the result. He stumbled on the solution in this PHPUnit bug and corrected the problem with a call to the Phar::mapPhar method inside the phar archive file.

tagged: phar archive extension remove mapphar tutorial

Link: http://cweiske.de/tagebuch/phar-renaming-no-ext.htm

Matthew Weier O'Phinney:
Secure PHAR Automation
Dec 15, 2015 @ 12:32:54

There's always been an issue with the creation of Phar packages in PHP and the security around them. There's been recommendations about creating signatures and only using secure connections for updates and rollbacks. Unfortunately there isn't an overly easy way to handle this yet. However, Matthew Weier O'Phinney has written up a post showing his workflow for doing these kinds of things, making use of the Box project to help with some of the more detailed parts.

For a variety of reasons, I've been working on a utility that is best distributed via PHAR file. As has been noted by others (archive.is link, due to lack of availability of original site), PHAR distribution, while useful, is not without security concerns, and I decided to investigate how to securely create, distribute, and update PHAR utilities as part of this exercise.

This is an account of my journey, as well as concrete steps you can take to secure your own PHAR downloads.

He starts by outlining the "roadmap" of the features he wants to include and the steps to take to create this more secure phar archive. It includes the use of both current, local tools and services (like Box and GitHub pages). He then walks through the steps in the full process:

  • Create an OpenSSL Key
  • Use Box to create the PHAR
  • Generate a version file
  • Create the gh-pages branch
  • Write self-update/rollback commands
  • Enable Travis-CI for the repository
  • Create an SSH deploy key
  • Archive and encrypt the secrets
  • Write a deployment script
  • Add the script to travis

While this seems like a lot of steps to just get a more secure phar set up, Matthew has done the hard work for you here and includes all of the commands, configuration examples and steps you'll need to take to fully set the process up. If all goes well, his example in his last "push and watch it work" section will go off without a hitch.

tagged: phar archive security signed https update rollback travisci tutorial

Link: https://mwop.net/blog/2015-12-14-secure-phar-automation.html

ServerGrove Blog:
Introduction to the PHAR format
Jul 31, 2015 @ 12:15:44

The ServerGrove blog has posted an introduction to the PHAR format, a built-in method to use PHP and create self-contained functional scripts as a single *.phar file making it much easier to transport.

In the last years there is a trend in the PHP community to release tools, especially command line utilities, as PHAR files, so you can package an entire PHP application into a single file for convenience. But, how PHAR files work? In this post we will try to explain it.

They cover a few of the basic topics first: what is a PHAR file and a few examples of them being provided by major PHP projects. They then get into the creation of an archive, showing how to make a super simple PHAR "Hello World" archive, created with just a bit of PHP. They then get into the structure behind the archive and get into detail on each section (stub, manifest, file contents and signature).

tagged: phar format introduction archive package

Link: http://blog.servergrove.com/2015/07/30/introduction-phar-format/

SitePoint PHP Blog:
Boxing up your Apps as Phars Quickly and Easily with Box
Jun 16, 2015 @ 08:44:27

The SitePoint PHP blog has a new tutorial posted showing you how to easily package up your application with Box to make phar files without the extra hassle of building them yourself.

In this tutorial, we’ll use Box to package a PHP application into a Phar, in order to make it easily distributable and globally installable via Composer.

For his example he uses the PHP portion of the FolderBuilder project and makes a command-line executable that can return the information for a directory as JSON data. He starts by installing the "box" executable command on a local VM and defines the simple configuration file, a "box.json" with some basic settings. He then clones the FolderBuilder project, updates the configuration for the correct locations and files and executes the "build" command. The result is a phar file that contains the PHP script functionality. He also updates the configuration to make the result executable with a "chmod" setting, removing the need to call it with the PHP command line version. He ends the post showing how to test it out, taking the results and dropping them into FolderBuilder to make sure they're 100% correct.

tagged: tutorial build phar archive easy box commandline tool

Link: http://www.sitepoint.com/boxing-apps-phars-quickly-easily-box/

Pádraic Brady:
Self-Updating PHARs: Stable phar-updater packages now available
Jun 03, 2015 @ 08:28:12

Pádraic Brady has a new post to his site today talking about creating self-updating phars in PHP using his package created based on previous recommendations.

In all seriousness, phar-updater is my implementation of recommendations I made in a previous blog post around self-updating PHAR files. Those recommendations were, predictably for me, largely concerned with self-updating from a security perspective. Implementing it brought ease of use and flexible integration to the fore also. It can be surprising what a little extra work, testing and packaging can accomplish for reuse compared to throwing code into one file and calling it a day. It’s been integrated into Humbug with nary an issue.

The package makes it simple to integrate the self-update functionality into your existing phar package deployment including updating running versions, enforcement of TLS connections and allows for configuration of updates based on version numbers. You can see his own example in his Humbug package's "SelfUpdate" class.

tagged: phar selfupdate package pharupdater packagist composer

Link: http://blog.astrumfutura.com/2015/06/self-updating-phars-stable-phar-updater-packages-now-available/

Three Devs & A Maybe:
Episode 66 - Easy Like Sunday Morning
Jun 01, 2015 @ 08:36:01

The Three Devs & A Maybe podcast has posted their latest episode, #66 - Easy Like a Sunday Morning, with hosts Michael Budd, Fraser Hart, Lewis Cains and Edd Mann.

This week on a early Sunday morning recording, we start off podcast discussion with A/B testing and Google Analytics/Experiments. We then move on to touch upon distributing PHP console applications within PHAR's, application security and Google's recent IO conference. Following this we bring up a couple of small projects Edd is currently working on, relating to Morse Code and Colour detection algorithms. Finally, we wrap up the show by discussing the current Space Beer Cave competition that is still underway, and how one contestant is running away with the prize at this time.

Other topics mentioned include Box PHP, Ghostery and the missing mcrypt extension. You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy the show, be sure to subscribe to their feed or over in iTunes to get the latest shows as they're released.

tagged: threedevsandamaybe podcast ep66 abtesting phar console googleio color

Link: http://threedevsandamaybe.com/easy-like-sunday-morning/

Pádraic Brady:
Securely Distributing PHARs: Pitfalls and Solutions
Mar 04, 2015 @ 11:46:10

Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

  • Distribute the PHAR over HTTPS
  • Enforce TLS verification
  • Sign your PHAR with a private key
  • Avoid PHAR Installer scripts
  • Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.
tagged: secure distribution phar solution tls https privatekey installer selfupdates

Link: http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/

PHPUnit: Migration from PEAR to PHAR
Jan 14, 2015 @ 13:48:34

On The PHPcc's site today Sebastian Bergmann, the creator of the popular PHPUnit unit testing framework, shows you how to move to using the tool's phar file and away from the previously used PEAR install method.

In April 2014 I announced that I would shut down pear.phpunit.de on December 31, 2014. The motivation behind this move was to simplify the release process of PHPUnit by getting rid of an outdated distribution channel. I was afraid that I would leave users of my software behind by this move. [...] I am relieved that the shutdown of pear.phpunit.de went as smooth as it did. [...] In this article I show you how to make the transition from using PHPUnit from a PEAR package to using PHPUnit from a PHP Archive or using Composer as easy and convenient as possible.

There's three main steps to the migration from PEAR to the Composer-based phar installation:

  • Uninstalling PEAR Packages
  • Using PHPUnit from a PHP Archive (PHAR)
  • Installing PHPUnit with Composer

He includes the commands and configuration files/settings you'll need to make the transition happen. He also mentions that older versions are still available if there's a need but only on GitHub/Packagist as phar packages, not via PEAR.

tagged: phpunit migration pear phar packagist composer tutorial

Link: http://thephp.cc/news/2015/01/phpunit-migration-from-pear-to-phar

Community News:
PHPUnit Announced End of Life on PEAR Installation Method
Apr 21, 2014 @ 10:29:53

There's a new addition to the GitHub wiki that's quite important for the PHPUnit users out there. Sebastian Bergmann has officially announced the end of life for the PEAR version of the installer for the popular PHPUnit tool.

Since PHPUnit 3.7, released in the fall of 2012, using the PEAR Installer was no longer the only installation method for PHPUnit. Today most users of PHPUnit prefer to use a PHP Archive (PHAR) of PHPUnit or Composer to download and install PHPUnit. Starting with PHPUnit 4.0 the PEAR package of PHPUnit was merely a distribution mechanism for the PHP Archive (PHAR) and many of PHPUnit's dependencies were no longer released as PEAR packages. Furthermore, the PEAR installation method has been removed from the documentation. We are taking the next step in retiring the PEAR installation method with today's release of PHPUnit 3.7.35 and PHPUnit 4.0.17.

Included in this end of life, they'll also be decommissioning pear.phpunit.de to happen no later than the end of 2014.

tagged: pear phpunit install method composer phar download

Link: https://github.com/sebastianbergmann/phpunit/wiki/End-of-Life-for-PEAR-Installation-Method