From 39cb985ec1ea6003299ef1a5b55cc57e2d7adb92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20FIDRY?=
 <5175937+theofidry@users.noreply.github.com>
Date: Sun, 22 Oct 2023 13:46:11 +0200
Subject: [PATCH] feat: Deprecate OpenSSL signing (#1100)

Closes #878.
---
 src/Configuration/Configuration.php           |  7 +++++
 .../ConfigurationSigningTest.php              | 28 ++++++++++++++++---
 tests/Console/Command/CompileTest.php         |  9 ++++--
 3 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/src/Configuration/Configuration.php b/src/Configuration/Configuration.php
index f920620a4..53d387761 100644
--- a/src/Configuration/Configuration.php
+++ b/src/Configuration/Configuration.php
@@ -2280,6 +2280,13 @@ private static function retrieveSigningAlgorithm(stdClass $raw, ConfigurationLog
             self::addRecommendationForDefaultValue($logger, self::ALGORITHM_KEY);
         }
 
+        if (Phar::OPENSSL === $algorithm) {
+            $logger->addWarning(
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check '
+                .'https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            );
+        }
+
         return $algorithm;
     }
 
diff --git a/tests/Configuration/ConfigurationSigningTest.php b/tests/Configuration/ConfigurationSigningTest.php
index 8a0bd9f35..00b6b15d3 100644
--- a/tests/Configuration/ConfigurationSigningTest.php
+++ b/tests/Configuration/ConfigurationSigningTest.php
@@ -243,7 +243,12 @@ public function test_the_key_can_be_configured(): void
         self::assertFalse($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
     }
 
     public function test_the_key_pass_can_be_configured(): void
@@ -261,7 +266,12 @@ public function test_the_key_pass_can_be_configured(): void
         self::assertTrue($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
 
         foreach ([false, null] as $keyPass) {
             $this->setConfig([
@@ -281,7 +291,12 @@ public function test_the_key_pass_can_be_configured(): void
                 );
             }
 
-            self::assertSame([], $this->config->getWarnings());
+            self::assertSame(
+                [
+                    'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+                ],
+                $this->config->getWarnings(),
+            );
         }
 
         $this->setConfig([
@@ -295,7 +310,12 @@ public function test_the_key_pass_can_be_configured(): void
         self::assertFalse($this->config->promptForPrivateKey());
 
         self::assertSame([], $this->config->getRecommendations());
-        self::assertSame([], $this->config->getWarnings());
+        self::assertSame(
+            [
+                'Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.',
+            ],
+            $this->config->getWarnings(),
+        );
     }
 
     public static function passFileFreeSigningAlgorithmProvider(): iterable
diff --git a/tests/Console/Command/CompileTest.php b/tests/Console/Command/CompileTest.php
index e738a037b..e70348813 100644
--- a/tests/Console/Command/CompileTest.php
+++ b/tests/Console/Command/CompileTest.php
@@ -281,7 +281,8 @@ public function test_it_can_build_a_phar_file(): void
             * Done.
 
             No recommendation found.
-            No warning found.
+            ⚠️  <warning>1 warning found:</warning>
+                - Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.
 
              // PHAR: {$numberOfFiles} files (100B)
              // You can inspect the generated PHAR with the "info" command.
@@ -897,7 +898,8 @@ public function test_it_can_build_a_phar_file_in_verbose_mode(): void
             * Done.
 
             No recommendation found.
-            No warning found.
+            ⚠️  <warning>1 warning found:</warning>
+                - Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.
 
              // PHAR: {$expectedNumberOfFiles} files (100B)
              // You can inspect the generated PHAR with the "info" command.
@@ -1026,7 +1028,8 @@ public function test_it_can_build_a_phar_file_in_very_verbose_mode(): void
             * Done.
 
             No recommendation found.
-            No warning found.
+            ⚠️  <warning>1 warning found:</warning>
+                - Using an OpenSSL signature is deprecated and will be removed in 5.0.0. Please check https://github.com/box-project/box/blob/main/doc/phar-signing.md for alternatives.
 
              // PHAR: {$expectedNumberOfFiles} files (100B)
              // You can inspect the generated PHAR with the "info" command.