Skip to content

Bundle PIE with PHP by default #21524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
asgrim wants to merge 5 commits into
base: master
Choose a base branch
from
+87 −1
Draft

Bundle PIE with PHP by default #21524

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1cfcc88
Basic PIE downloader flag --with-pie
asgrim Mar 25, 2026
93bdfd1
Move PIE to install in $(bindir)
asgrim Mar 26, 2026
742c940
Download PIE to a temp directory before verifying
asgrim Mar 26, 2026
ce67233
Removed pie installer debug echo statements
asgrim Mar 26, 2026
0069c55
Enable --with-pie by default
asgrim Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1182,6 +1182,38 @@ AS_VAR_IF([PHP_PEAR], [no],, [
[pear])
])

dnl PIE
dnl ----------------------------------------------------------------------------

PHP_HELP_SEPARATOR([PIE:])
PHP_CONFIGURE_PART([Configuring PIE])

dnl If CLI is disabled disable PIE.
AS_VAR_IF([PHP_CLI], [no], [with_pie=no])

PHP_ARG_WITH([pie],
[whether to install PIE],
[AS_HELP_STRING([[--with-pie[=DIR]]],
[Install PIE in DIR [PREFIX/bin]])],
[yes],
Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed this to default ship with PIE, now you would have to use --without-pie to not build with it

[yes])

AS_VAR_IF([PHP_PIE], [no],, [
install_pie=install-pie

AS_VAR_IF([PHP_PIE], [yes],
[AS_CASE([$PHP_LAYOUT],
[GNU], [PIE_INSTALLDIR=$bindir],
[PIE_INSTALLDIR=$bindir])],
[PIE_INSTALLDIR=$PHP_PIE])

PHP_SUBST([PIE_INSTALLDIR])
PHP_ADD_BUILD_DIR([pie])
PHP_ADD_MAKEFILE_FRAGMENT([$abs_srcdir/pie/Makefile.frag],
[$abs_srcdir/pie],
[pie])
])

dnl Configuring Zend and TSRM.
dnl ----------------------------------------------------------------------------

Expand Down Expand Up @@ -1622,7 +1654,7 @@ else
fi;

all_targets="\$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_ZEND_EX) \$(PHP_BINARIES) $pharcmd"
install_targets="$install_sapi $install_modules $install_binaries install-build install-headers install-programs $install_pear $pharcmd_install"
install_targets="$install_sapi $install_modules $install_binaries install-build install-headers install-programs $install_pear $install_pie $pharcmd_install"

PHP_SUBST([all_targets])
PHP_SUBST([install_targets])
Expand Down
39 changes: 39 additions & 0 deletions pie/Makefile.frag
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
piedir=$(PIE_INSTALLDIR)

PIE_PHP_FLAGS = -dmemory_limit=-1

CURL = `which curl 2>/dev/null`
WGET = `which wget 2>/dev/null`
FETCH = `which fetch 2>/dev/null`
FETCH_PHP = $(top_srcdir)/pear/fetch.php
GH = `which gh 2>/dev/null`
PIE_PHAR_URL = https://github.com/php/pie/releases/latest/download/pie.phar
PIE_PHAR_TEMP_DL_LOCATION = $(top_srcdir)/pie/pie_temp.phar
PIE_PHAR_DESTINATION = $(INSTALL_ROOT)$(piedir)/pie

$(PIE_PHAR_DESTINATION):
@echo "Installing PIE: $(PIE_PHAR_DESTINATION)"
# First, figure out a way to download the phar, with curl, wget, fetch, or a backup PHP script...
@if test ! -z "$(CURL)" && test -x "$(CURL)"; then \
"$(CURL)" --no-progress-meter --silent --location "${PIE_PHAR_URL}" --output $(PIE_PHAR_TEMP_DL_LOCATION); \
elif test ! -z "$(WGET)" && test -x "$(WGET)"; then \
"$(WGET)" "${PIE_PHAR_URL}" --quiet --no-directories --output-document=$(PIE_PHAR_TEMP_DL_LOCATION); \
Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build failure:

/usr/bin/wget: unrecognized option: no-directories

https://github.com/php/php-src/actions/runs/23794236419/job/69337305959?pr=21524#step:9:37

elif test ! -z "$(FETCH)" && test -x "$(FETCH)"; then \
"$(FETCH)" -o $(PIE_PHAR_TEMP_DL_LOCATION) "${PIE_PHAR_URL}"; \
else \
$(top_builddir)/sapi/cli/php -n "${FETCH_PHP}" "${PIE_PHAR_URL}" $(PIE_PHAR_TEMP_DL_LOCATION) ; \
fi
# Try to verify using `gh` CLI, or if not use `self-verify` (which isn't the best, since it could already have been tampered)
@if test ! -z "$(GH)" && test -x "$(GH)"; then \
"$(GH)" attestation verify --owner=php $(PIE_PHAR_TEMP_DL_LOCATION); \
Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build failure:

To get started with GitHub CLI, please run:  gh auth login
Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token.

https://github.com/php/php-src/actions/runs/23794236419/job/69337306006?pr=21524#step:11:39

Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likely similar issue:

Installing PIE:                   /usr/bin/pie
Created directory: /var/lib/snmp/cert_indexes
🥧 PHP Installer for Extensions (PIE) 1.3.10, from The PHP Foundation

In AuthHelper.php line 132:
                                             
  Could not authenticate against github.com  
                                             

self-verify [--with-php-config WITH-PHP-CONFIG] [--with-php-path WITH-PHP-PATH] [--with-phpize-path WITH-PHPIZE-PATH] [--no-cache]

make: *** [Makefile:497: /usr/bin/pie] Error 255

https://app.circleci.com/pipelines/gh/php/php-src/26637/workflows/15956446-015b-4414-8e74-b5341f2214e2/jobs/26328

else \
$(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_TEMP_DL_LOCATION) self-verify; \
fi
# Once verified, move it to the real location
@mv $(PIE_PHAR_TEMP_DL_LOCATION) $(PIE_PHAR_DESTINATION)
@chmod +x $(PIE_PHAR_DESTINATION)

.PHONY: install-pie
install-pie: $(PIE_PHAR_DESTINATION)
Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This issue warrants discussion; at the moment, since PIE doesn't (yet) support PHP 8.6 (fails at the Box requirements checker), this would cause a non-zero exit code. Same scenario would happen if PHP is installed without the minimum required extensions.

I'd suggest we capture these kind of errors, print out a warning that PIE was not installed, but still return a zero exit code. Any other suggestions welcome :)

Another option: install the experimental PIE executable coming in PIE 1.4.0 (if possible), since there is no dependency on the installed PHP version; if PIE executable can't be installed, fall back to PHAR (but still have the question about should we exit zero or non-zero if PIE won't work?)

Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Example:

  Box Requirements Checker
  ========================
  
  > Using PHP 8.6.0-dev
  > PHP is not using any php.ini file.
  
  > Checking Box requirements:
    E..........
  
                                                                                  
  Error: ] Your system is not ready to run the application.                       
                                                                                  
  
  Fix the following mandatory requirements:
  =========================================
  
   * This application requires a PHP version matching
     "8.1.*||8.2.*||8.3.*||8.4.*||8.5.*".

https://github.com/php/php-src/actions/runs/23794236419/job/69337306073?pr=21524#step:3:2548

@$(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_DESTINATION) self-update > /dev/null 2>&1
@$(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_DESTINATION) --version
15 changes: 15 additions & 0 deletions pie/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# PIE downloader
Copy link
Copy Markdown
Contributor Author

@asgrim asgrim Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General question to reviewers; what is the earliest version of PHP we could get this into? PIE supports PHP 8.1+, so ideally that, but obviously it is out of support, so won't actually get any new releases. I suppose it would be PHP 8.4+?

Copy link
Copy Markdown
Member

@TimWolla TimWolla Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General question to reviewers; what is the earliest version of PHP we could get this into?

It's a feature, thus master.


When building PHP, the `--with-pie` flag is enabled by default. This will
attempt to download the latest stable version of PIE, using `curl`, `wget`,
`fetch`, or a PHP script.

By default it will download PIE to `$prefix/bin/pie`. You can change
the target path, e.g. `--with-pie=/usr/local/bin`, which will cause PIE to be
downloaded to `/usr/local/bin/pie`.

If the `gh` CLI tool exists on the system, it will be used to verify that the
PIE that is downloaded was built within PHP's CI system. If not, the
`pie self-verify` command is used, but this has limited benefit.

To build PHP without PIE, supply the `--without-pie` flag.
Loading