dqjl0906 2016-06-30 05:11
浏览 79
已采纳

PHP下载删除了数字代码签名

I have a php web application that allows our users to download our software installer setup.exe.

We've just started signing our code, both the the installer and the applications within it, which is all fine. However when I upload this installer to our web server, and download it through the php web application, setup.exe is no longer digitally signed! It's as if it was never signed in the first place.

Here's what I've tried:

  1. [right click] -> [properties] shows that setup.exe is not code signed. However setup.exe is the expected version.
  2. I ran the installer, and installed our software. The applications that are installed ARE code signed, and the expected version matching the installer.
  3. I tried downloading setup.exe directly from the web server through the cpanel File Manager and this is fine - setup.exe is digitally signed and the expected version.
  4. Attempts to download setup.exe from the web site via different browsers (firefox, edge) result in the same behaviour.

EDIT

  1. I also tried moving the setup.exe file to a public area on the site, and downloading it directly through the browser - works perfectly. All I can think is that the issue has to be in how PHP is serving the application to the browser.

I thought the HTTP headers or the PHP download function we have written might be related to the problem.

Our generic include.php file has the following headers to prevent caching:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Fri, 01 Jan 2016 01:00:00 GMT");   // a date in the past

And this is our download function:

function DownloadFile($file, $filename) {
    // check if file exists and write header info and output file
    if (file_exists($file)) {
        header('Content-Description: File Transfer');
        header('Content-Type: application/x-msdownload');
        header('Content-Disposition: attachment; filename="' . $filename . '"');
        header('Content-Transfer-Encoding: binary');
        header('Expires: 0');
        header('Cache-Control: must-revalidate');
        header('Pragma: public');
        header('Content-Length: ' . filesize($file));
        readfile($file);
        return true;
    } 
    else { 
        // file does not exist
        return false; 
    }
}

Which is primarily from the readfile() example on php.net. Are there any red flags here? What's going on?

  • 写回答

1条回答 默认 最新

  • doukun0888 2016-07-04 03:49
    关注

    The issue was caused by the way the web application serves the file following a header redirect to the same page - the page itself also serving other data as content.

    After the call to DownloadFile() the rest of the page, including HTML content etc, was sent as part of the file - resulting in the additional data corrupting the digital signature.

    The solution was to force the script to exit after the file was sent.

    $file = $_SERVER['DOCUMENT_ROOT'] . '/../product/release/' . $path;
DownloadFile($file, "ProductInstaller.exe");
exit; // prevent the rest of the page from being sent as part of the file
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置