On macOS Monterey and later versions, code signing is mandatory for all modules integrated with system services like Apache. This requirement ensures that only verified and trusted code can run on your system. When installing the PHP module via Homebrew, it remains unsigned by default, which prevents Apache from loading it.
$ sudo /usr/sbin/apachectl -k restart Password: [Thu Nov 17 10:49:52.018764 2022] [so:error] [pid 61938] AH06665: No code signing authority for module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so specified in LoadModule directive. httpd: Syntax error on line 555 of /private/etc/apache2/httpd.conf: Syntax error on line 8 of /private/etc/apache2/other/00-httpd.conf: Code signing absent - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
To resolve this issue, you must manually sign the PHP module using the codesign utility. This process requires the creation of a custom Certificate Authority and a code signing certificate within the Keychain Access tool on macOS. Without this, you will encounter errors during the module loading process, blocking the execution of the module.
After setting up the necessary certificates, you can sign the PHP module and ensure it is accepted by the system’s security protocols. This step is crucial every time the module is updated or reinstalled via Homebrew, to maintain compatibility and security.
Steps to sign homebrew php module using codesign:
- Create a Certificate Authority for code signing using Keychain Access.
- Create code signing certificate using Keychain Access.
- Launch terminal app.
- Install Xcode Command Line Tools if not already installed.
$ xcode-select --install
- Locate location or path of PHP module from Apache's PHP LoadModule directive.
$ find -L /etc/apache2 -type f -print0 | xargs -0 grep -i "^loadmodule.*php" /etc/apache2/other/00-httpd.conf:LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
Base directory for Apache configuration file if you're using Homebrew version of Apache is /usr/local/etc/httpd
Related: Apache configuration files location
grep tool distributed with macOS can't reliably find the LoadModule directive without the use of find command.
- Sign PHP module using codesign with the code signing certificate name you've created.
$ codesign --sign "Mohd Shakir" --force --keychain ~/Library/Keychains/login.keychain-db /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
You need to sign the PHP module every time it is updated or upgraded in Homebrew.
- Open Apache configuration file with PHP LoadModule directive using your preferred text editor.
$ sudo vi /etc/apache2/other/00-httpd.conf
- Add code signing certificate name after module path in PHP LoadModule directive.
LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "Mohd Shakir"
- Restart Apache for changes to take effect.
$ sudo apachectl -k restart [Fri Jul 30 07:25:56.693224 2021] [so:notice] [pid 22961] AH06662: Allowing module loading process to continue for module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so because module signature matches authority "Mohd Shakir" specified in LoadModule directive
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.