How to sign homebrew PHP module in macOS

Gatekeeper in macOS ensures only verified applications can be executed and this is achieved by signing the application using codesign. Code signing has been optional on macOS Big Sur and prior but mandatory since macOS Monterey.

PHP module installed using homebrew is not signed, so you need to sign it first before it can be used, or you will get the following error;

$ sudo /usr/sbin/apachectl -k restart
Password:
[Thu Nov 17 10:49:52.018764 2022] [so:error] [pid 61938] AH06665: No code signing authority for module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so specified in LoadModule directive.
httpd: Syntax error on line 555 of /private/etc/apache2/httpd.conf: Syntax error on line 8 of /private/etc/apache2/other/00-httpd.conf: Code signing absent - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

You need to create a Certificate Authority for code signing and a code signing certificate before you can sign the PHP module using codesign utility.

Steps to sign homebrew php module using codesign:

Create Certificate Authority for code signing using Keychain Access.

Related: How to create Certificate Authority for Code Signing in macOS
Create code signing certificate using Keychain Access.

Related: How to create code signing certificate in macOS
Launch terminal app.
Install Xcode Command Line Tools if not already installed.
```
$ xcode-select --install
```
Locate location or path of PHP module from Apache's PHP LoadModule directive.
```
$ find -L /etc/apache2 -type f -print0 | xargs -0 grep -i "^loadmodule.*php"
/etc/apache2/other/00-httpd.conf:LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
```
Base directory for Apache configuration file if you're using Homebrew version of Apache is /usr/local/etc/httpd

Related: Apache configuration files location

grep tool distributed with macOS can't reliably find the LoadModule directive without the use of find command.
Sign PHP module using codesign with the code signing certificate name you've created.
```
$ codesign --sign "Mohd Shakir" --force --keychain ~/Library/Keychains/login.keychain-db /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
```
You need to sign the PHP module every time it is updated or upgraded in Homebrew.
Open Apache configuration file with PHP LoadModule directive using your preferred text editor.
```
$ sudo vi /etc/apache2/other/00-httpd.conf
```

Add code signing certificate name after module path in PHP LoadModule directive.

LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "Mohd Shakir"

Restart Apache for changes to take effect.

$ sudo apachectl -k restart
[Fri Jul 30 07:25:56.693224 2021] [so:notice] [pid 22961] AH06662: Allowing module loading process to continue for module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so because module signature matches authority "Mohd Shakir" specified in LoadModule directive

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.

Discuss the article:

Comment anonymously. Login not required.