Extract Signature and Verify

To piggy back off the work done for extracting a phar's signature without the phar extension, you can now validate a phar without the extension as well. A new class called Signature has been added to handle phar signatures.

use Herrera\Box\Signature;

$signature = new Signature('my.phar');

print_r($signature->get());
/*
Array
(
    [hash_type] => OpenSSL
    [hash] => 54AF1D4E5459D3A77B692E46FDB9C965D1C7579BD1F2AD2BECF4973677575444FE21E104B7655BA3D088090C28DF63D14876B277C423C8BFBCDB9E3E63F9D61A
)
*/

echo 'Verified?', $signature->verify() ? 'yes' : 'no', "\n";
// Verified? yes

The class also supports verifying signatures, signed using a private key, without the openssl extension. However, you will need to have the phpseclib library installed.

Notes

• The Box::getSignature() method is now an alias for Signature::create('my.phar')->get().