If you want to install the Hardening-Patch on an operation system like FreeBSD or Gentoo, then you can skip directly to the particular section, because the Hardening-Patch is already within your ports tree.


When you want to install PHP with the Hardening-Patch you have to first perform some preparation steps.

Step 1: Installing the Hardened-PHP Project Signaturekey

You should first grab a copy of the Hardened-PHP Project's Release Signaturekey and import it into your GNU Privacy Guard keychain. (For further information on the usage of gnupg please consult it’s manpage)

#> gpg --import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported
gpg: Anzahl insgesamt bearbeiteter Schl├╝ssel: 1
gpg:                              importiert: 1

Step 2: Downloading and verifying the necessary files

Depending on the installation path you want to choose you should now grab a copy of PHP with the Hardening-Patch already applied, or a fresh PHP tarball and the latest version of the Hardening-Patch. Additionally you should get the digital signature (*.sig) files. You can grab all of this on our download page.

As a first precaution you can check the MD5 hashs of the downloaded files against those you find on the download page.

#> md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c  php-5.1.4.tar.bz2
#> md5sum hardening-patch-5.1.4-0.4.11.patch.gz
c8a0e745687b3a238bafbeeaafd8efb7  hardening-patch-5.1.4-0.4.11.patch.gz


#> md5sum hardening-patch-5.1.4-0.4.11.tar.bz2
c445220fc227ae815aa94602428fc51c  hardening-patch-5.1.4-0.4.11.tar.bz2  

When the MD5 hash values are valid you can check the digital signatures like this.

#> gpg php-5.1.4.tar.bz2.sig
gpg: Signature made Di 16 Mai 2006 23:39:04 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"
#> gpg hardening-patch-5.1.4-0.4.11.patch.gz.sig
gpg: Signature made Sa 13 Mai 2006 20:02:53 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"


#> gpg hardening-patch-5.1.4-0.4.11.tar.bz2.sig
gpg: Signature made Sa 13 Mai 2006 20:03:02 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"

Step 3: Unpacking and Patching

If you have downloaded the already prepatched tarball the preparation phase is finished after you have unpacked the tarball.

#> tar -xfj hardening-patch-5.1.4-0.4.11.tar.bz2

Otherwise you have to unpack the PHP tarball, gunzip the patchfile and then apply the patch.

#> tar -xfj php-5.1.4.tar.bz2
#> gunzip hardening-patch-5.1.4-0.4.11.patch.gz
#> cd php-5.1.4
#> patch -p 1 -i ../hardening-patch-5.1.4-0.4.11.patch

Generic Linux/Unix

After having prepared the PHP source tree the next step is not much different from the usual installation of PHP.

#> ./configure --with-whatever-you-want
#> make
#> make test
#> make install

By executing make test you can verify, that PHP still works and does not break anything.

If you are upgrading from a previous installation of PHP you have to recompile all installed PHP modules and extensions after you have installed the Hardening-Patch, because the Hardening-Patch is binary incompatible. If you previously used some binary only extensions you cannot use them anymore, unless it’s vendor provides a special package.

After having recompiled and installed everything, have a look at the bundled php.ini files for examples how to use the new configuration directives. For a documentation of the new directives consult the Configuration section.




Installing the Hardening-Patch on a Gentoo system is very easy, because there is already a USE-flag for it. You just have to do:

#> USE=hardenedphp emerge php

After having installed PHP with the Hardening-Patch you can continue configuring it. Your php.ini file should already contain directives to configure the Hardening-Patch with examples. Additional information about the directives can be found in the Configuration section.


Upgrading to a new PHP or new Hardening-Patch version is quite identical to the normal installation process. This is like upgrading a normal PHP. That means, if the binary compatibility was broken between PHP/Hardening-Patch versions you have to recompile all installed PHP modules/extension.

© Hardened PHP Project