Installing PHP extensions

croy

I'm exploring the use of Indigo instead of MAMP Pro and my project requires ChartDirector. I have tried to install it in the stack that I created. I get the following error:
26-Jul-2022 21:48:45 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'phpchartdir810.dll' .../phpchartdir810.dll' (code signature in <05D655A1-F3E7-3069-A59D-335552E13D52>; ...not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.)) ...

I have tried to sign it with my developer ID or ad-hoc. After I sign it I get the following error message:

... (code signature in <05D655A1-F3E7-3069-A59D-335552E13D52> .. not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)

Is there a way to resolve this?

Thank you,
David

Indigo

Hi @croy, apologies for my slow response! I overlooked your message till now. A couple of questions:

when you refer to MAMP PRO, have you been using the Mac, or the Windows version?
do you have a copy of ChartDirector compiled and working inside MAMP PRO?

Could you outline briefly the steps you've taken to install ChartDirector into your Indigo stack? A few thoughts which may help you, depending how far you got:

Let me know how you get on!

croy

Indigo I use MAMP PRO for the MAC.
In MAMP I copied the ChartDirector files to the extensions directory and configured the php.ini file to load them.
I have tried the same in indigo, these are the steps I tried.

I found the directory for my stack by right clicking on the stack. (ie. ~/.indigo/stacks/8FA787/php_930E/lib/php/20210902/)
I copied the ChartDirector files to the to the above directory.
I then add "extension=phpchartdir810.dll" the the php.ini file using the Configuration overrides on the stack. BTW this is the same command I use for all my PHP environments. (MAMP, RedHat)

When I start the stack the following message is output to the log file. This is the message when using the files that were downloaded from ChartDir. It finds the file it just can't load it.

"[29-Jul-2022 21:08:00 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'phpchartdir810.dll' (tried: /Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll (dlopen(/Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll, 0x0009): tried: '/Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll' (code signature in <05D655A1-F3E7-3069-A59D-335552E13D52>; '/Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?))), /Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll.so (dlopen(/Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll.so, 0x0009): tried: '/Users/croy/.indigo/stacks/8FA787/php_930E/lib/php/20210902/phpchartdir810.dll.so' (no such file))) in Unknown on line 0"

I have also tried to add Indigo to the System Preferences -> Security & Privacy -> Developer Tools list.

Thanks for your help. Please let me know if you have any questions.

David

Indigo

Hi David, thanks for the really clear additional details. I have replicated the problem in Indigo, and have also got it working very easily in MAMP, which obviously I am miffed about 🤪

As an aside, instead of signing the binaries (phpchartdirXXX.dll and libchartdir.so) I removed quarantine:

sudo xattr -r -d com.apple.quarantine phpchartdirXXX.dll
sudo xattr -r -d com.apple.quarantine libchartdir.so

Seemed to work fine that way in MAMP, and avoids the many and varied potential issues with signing.

While I continue digging into this, can I ask a quick question — are you on an Apple Silicon Mac?

croy

Indigo I'm using an Apple Silicon Mac.

Indigo

OK, so I got it working with Indigo; I had to both sign it AND remove quarantine. I couldn't say for certain whether I also did that in my MAMP experiment or not, sorry.

sudo xattr -r -d com.apple.quarantine phpchartdirXXX.dll
sudo xattr -r -d com.apple.quarantine libchartdir.so

codesign --force --options runtime --sign 'Apple Development: My Name (T2BRKKC59U)' libchartdir.so
codesign --force --options runtime --sign 'Apple Development: My Name (T2BRKKC59U)' phpchartdirXXX.dll

Once you have those two files prepared, you should place them somewhere where they won't get lost when you rebuild your stack. I would suggest inside your stack's .stackconfig bundle; this way Indigo will copy them in whenever it prepares to start the stack, just like it will do with your .ini file.

Let me know if it works for you! (or if any of the above is too obtuse 🙂 )

croy

Indigo

Thank for looking into this issue. The issue I'm having is that when I sign the app it's a different Team ID then the indigo app. That is probably why it worked for you.

[30-Jul-2022 20:31:25 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'phpchartdir810.dll' (tried: /Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll (dlopen(/Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll, 0x0009): tried: '/Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll' (code signature in <05D655A1-F3E7-3069-A59D-335552E13D52> '/Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)), /Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll.so (dlopen(/Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll.so, 0x0009): tried: '/Users/croy/.indigo/stacks/75BD26/php_A6CE/lib/php/20210902/phpchartdir810.dll.so' (no such file))) in Unknown on line 0

The interesting thing is when I use MAMP I don't have to sign the chartdir files.

David

Indigo

Ah, of course — tomorrow I'll try signing it ad-hoc and see if it results in the same error as you have. I suspect it will, at which point I am running out of ideas 🙁 Apple's code signing can be a real pain. As to why it works in MAMP unsigned, I have absolutely no ideas 🙁

Regardless, in case it helps I'm happy to sign the binaries with the same credentials as Indigo and attach them here, which will get you going, but isn't exactly a long-term solution I guess.

Indigo

I've emailed you the signed binaries. Hoping they might work!

I’d love to get to the bottom of why MAMP doesn’t need these signed though, so any further ideas gratefully accepted!

IndigoUser

Hi all,
Is there an update to this and a solution to installing PHP extensions for Indigo that doesn't result in Codesign errors (either missing cdhash or differing Team IDs)?

I've tried to install vanilla extensions like Imagick, even followed what @Indigo posted here (https://forums.indigostack.app/d/48-imagick) (using PHP 8.2.8 under Indigo; Homebrew is currently using 8.2.9), but like @croy i get cdhash and mismatch team id errors if attempting to codesign the extensions (both ad-hoc or using my Apple developer certificate).
Have also tried removing the quarantine flag before code signing as well as attempted to use 'LoadModule php_module' via the Apache template but i get the same result and same error message with the extension.

As @croy mentioned, MAMP doesn't seem to suffer from this issue although i've no idea what they're doing to get around it.

Much appreciate any help as Indigo is a pretty decent app otherwise, plus i really don't want to go back to MAMP 🙁

Edit - Just to add, MAMP includes imagick and a few others and the extensions are signed by themselves -

Executable=/Applications/MAMP/bin/php/php8.2.0/lib/php/extensions/no-debug-non-zts-20220829/imagick.so Identifier=imagick Format=Mach-O thin (x86_64) CodeDirectory v=20200 size=3815 flags=0x0(none) hashes=115+2 location=embedded VersionPlatform=1 VersionMin=658432 VersionSDK=658944 Hash type=sha256 size=32 CandidateCDHash sha256=52b0a510a8f09b8322743d62edb5e88e9e417921 CandidateCDHashFull sha256=52b0a510a8f09b8322743d62edb5e88e9e417921f64fb2f25318cbb5cf7f55a7 Hash choices=sha256 CMSDigest=52b0a510a8f09b8322743d62edb5e88e9e417921f64fb2f25318cbb5cf7f55a7 CMSDigestType=2 Page size=4096 Launch Constraints: None CDHash=52b0a510a8f09b8322743d62edb5e88e9e417921 Signature size=8917 Authority=Developer ID Application: MAMP GmbH (5KCB5KHK77) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=9 Dec 2022 at 11:50:16 Info.plist=not bound TeamIdentifier=5KCB5KHK77 Sealed Resources=none Internal requirements count=1 size=168!<

Edit 2 - Is there any way we can use Pecl to install extensions (from within the stack or via the shell integration)?
It is bundled with each stack within the PHP's bin directory but, it throws errors ('/usr/local/Indigo/Homebrew/Cellar/php/8.2.8/bin/php' doesn't exist etc) which i assume is because the stacks PHP CLI configuration file path points to '/usr/local/Indigo/Homebrew/Cellar/php/8.2.8' and, iirc, that is/was set when PHP is being built (./configure).
Ignore, you still end up against code signing issues regardless of Pecl.

Indigo

@IndigoUser thanks for your post and thorough attempts to get additional extensions to work. I just wanted to respond to let you know I've seen your post but I will be unavailable till after the weekend. I will respond properly then. Thanks for your patience!

IndigoUser

Indigo
No worries at all 🙂

It does seem to be a Gatekeeper/codesigning issue and I did spot that MAMP have disabled library validation (has the 'com.apple.security.cs.disable-library-validation' entitlement attached) although i'm not entirely sure whether that would be the cause.

sudo codesign -d --entitlements - /Applications/MAMP/MAMP.app Executable=/Applications/MAMP/MAMP.app/Contents/MacOS/MAMP [Dict] [Key] com.apple.application-identifier [Value] [String] 5KCB5KHK77.de.appsolute.MAMP [Key] com.apple.developer.team-identifier [Value] [String] 5KCB5KHK77 [Key] com.apple.security.automation.apple-events [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true sudo codesign -d --entitlements - /Applications/Indigo.app Executable=/Applications/Indigo.app/Contents/MacOS/Indigo [Dict]!<

I also noticed that MAMP do include a handful of signed (with their dev cert) PHP extensions, like Imagick, with their app/install package but, they have Pear/Pecl configured (for each PHP version they ship) allowing you to build and install extensions which aren't codesigned and load without throwing any codesign errors.

As said though, great app and hopefully you guys find a solution to this 👍️

P.s - i'm not sure how feasible it is to do with Indigo but as a (far future) feature request, could Pear/Pecl be correctly configured for each stack? Would make it a lot easier with installing extensions and a little less cumbersome than the Homebrew solution laid out in the other thread.

Indigo

Thanks again @IndigoUser for your research into this. Am I right thinking the motivation for you specifically is that you need imagick? I'm trying to get a sense for Indigo users' reliance on PHP extensions; my gut feel is that very few are looking for anything beyond—say—the "common 10" extensions.

In order to make "the 90% easy, and the 10% possible", I think the path forward on this topic is twofold;

Provide a better selection of included extensions

This would hopefully allow most users to sidestep any extension issues (signing etc) altogether.

Any of these (currently 45) extensions should be straightforward candidates for me to include with each php distributed with Indigo. Just have to work out which ones to include. I've started with imagick, so that will be in the next Indigo release.

Fix PECL / PEAR

This forum issue was initially created regarding an extension called "ChartDirector" — a good reminder that exceptions to the common extension requirements will always exist — but it's been the only request of its type in over a year, so I think represents the "10%" use-case mentioned above.

In that light, I would ideally like Indigo to provide a solution for compiling your own extensions (need a working phpize etc), or using PECL — but until that point perhaps a willingness at my end to compile bespoke stuff is sufficient for those users.

@croy & @IndigoUser — your thoughts?

re signing:

Your research is really helpful, thanks! In particular, the com.apple.security.cs.disable-library-validation entitlement; I'm not sure that its existence on MAMP.app is so relevant, but it's very interesting to see it on their bundled php binaries, as those are what actually load the extension.so's.

I believe Homebrew-installed PHP binaries are not signed at all (sidenote: how do they run without throwing warnings?), and thus don't need this entitlement, also explaining why they happily load extensions provided as prebuilt PECL binaries.

I am currently wondering, if I could give the Indigo PHP binaries this entitlement, do you think it would resolve the issues when attempting to load 3rd-party-provided extensions?

IndigoUser

Indigo

Indigo Am I right thinking the motivation for you specifically is that you need imagick?

Phalcon framework, although i tend to work with different versions of the framework (not just the latest version but specific minor versions) which is where i could see Indigo being a huge help, and massively simplifying my current setup of a multitude of Dockers and VM's which is messy, with a user being able to 'build' differing stack configurations.

As you say, if Indigo included a good selection of PHP extensions then you would easily cater for 90% of users. Certainly Imagick is a good call given a lot of CMS use it but, somewhere in the cPanel documentation is a list of 'standard' PHP extensions which may be a good starting point as a lot of folk are dev'ing for cPanel/Plesk type platforms.
Although the Mcrypt and Tokenizer extensions would help those using some popular frameworks like Laravel, Symfony, CodeIgniter etc, Memcache/d and APCU for those working with caching, PHPUnit for unit-testing etc.

Indigo @croy & @IndigoUser — your thoughts?

Seems like a good plan. Perhaps include something within the documentation around extensions, what's currently included, what's the future/roadmap in terms of PEAR/PECL and then if users need 'custom' extensions then to let you guys know that you may be able to help etc.

Indigo I am currently wondering, if I could give the Indigo PHP binaries this entitlement, do you think it would resolve the issues when attempting to load 3rd-party-provided extensions?

Honestly i'm not sure as i'm not much of an Apple developer but, it was just something i spotted whilst digging around and might be worth trying. And i think you're probably on track with regards to the PHP binaries, certainly MAMP include a handful of entitlements with their binaries, including 'com.apple.security.cs.disable-executable-page-protection' which i believe removes signing protection -

sudo codesign -d --entitlements - /Applications/MAMP/bin/php/php8.2.0/bin/php Executable=/Applications/MAMP/bin/php/php8.2.0/bin/php [Dict] [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.allow-unsigned-executable-memory [Value] [Bool] true [Key] com.apple.security.cs.disable-executable-page-protection [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true!<

Also i imagine there's a few outlier dev's that may want the same for Apache modules; again, it's a future feature request but it might be something worth thinking about.