In phar default signature is still SHA-1 which is no more considered add secure
Proposal: switch to SHA256 by default https://github.com/php/php-src/pull/7341 Old algo are not removed, at least they are required to check old archives. Perhaps could make sense to raise a warning when used In smp, auth protocol only support MD5 and SHA-1 rfc-7860 recommends SHA256 and SHA512 https://github.com/php/php-src/pull/7342 As minor self-contained change, probably don't worth an RFC. Please comment on PR Remi -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php