Question 91421 in Apache Question posted in
Some documentation to get you started can be found here.

Unable to find code signature authority on Mac OS Monterey – Apache

I’m updating my question here, at the top, so anyone reading will encounter the latest unresolved issue first.

I was hasty in updating my question in response to Alex Narvey’s advice.

The result of:
bash3.2/Users/jnorris$ codesign -dv --verbose=4 "/opt/homebrew/opt/php/lib/httpd/modules/libphp.so"

is what I have below with the exception of:

...
Authority=My Name's CA
...

not just:

...
Authority=My Name
...

When I set Line 187 of my https.conf to:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "My Name's CA"

I get the error message:

bash3.2/Users/jnorris$ apachectl -config
[Mon Feb 21 17:26:12.913882 2022] [so:error] [pid 3892] AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "P James Norris's CA" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

I take it that My Name's CA is a certificate that give me the authority to issue the signing certificate My Name, but I don’t know if this is correct, and why I’m getting the error message I’m getting now as opposed to below.

Again, any help anyone can give me will be greatly appreciated because if I don’t get this resolved soon, I’m going to downgrade my server to Mac OS 11 Big Sur, and I’d really rather not do that.

=====

I recently upgraded my Mac mini (M1, 2020) to Mac OS Monterey (12.0.1) and discovered that I had to download and code sign PHP 8.1. Having not had to code sign PHP before, I followed the instructions at "How to future proof your apache modules in macOS by signing them with your own certificate authority"1. But when I run apachectl configtest I get the following error message:

AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "My Name" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

This is what line 187 of my httpd.conf looks like:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "my name"

I have confirmed that lib-up.so exists at /opt/homebrew/opt/php/lib/httpd/modules/.

Following Alex Narvey’s advice, I:

bash3.2/Users/jnorris$ codesign -dv --verbose=4 "/opt/homebrew/opt/php/lib/httpd/modules/libphp.so"
Executable=/opt/homebrew/Cellar/php/8.1.1/lib/httpd/modules/libphp.so
Identifier=libphp
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=117087 flags=0x0(none) hashes=3654+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=721664
Hash type=sha256 size=32
CandidateCDHash xxxx
CandidateCDHashFull xxxx
Hash choices=sha256
CMSDigest=xxxx
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=13058048
Executable Segment flags=0x0
Page size=4096
CDHash=xxxx
Signature size=2064
Authority=***My Names's CA***
Signed Time=Dec 25, 2021 at 11:28:37 AM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=84

where I have changed the hashes to xxxx and my certificate name to My Name's CA.

Line 187 of my https.conf now reads:

LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "xxxx"

But I still get the error:

bash3.2/Users/jnorris$ apachectl configtest
[Mon Jan 24 07:38:09.095804 2022] [so:error] [pid 14290] AH06663: Unable to find code signature authority on module at /opt/homebrew/opt/php/lib/httpd/modules/libphp.so that matches authority name "xxxx" configured on LoadModule directive.
httpd: Syntax error on line 187 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

I see someone has asked a similar question at "Unable to codesign PHP v7.4 with Apache on Big Sur"2, but that request for help has been up for 2 months with no replies and s/he is getting error messages that I am not.

Thanks for any help anyone can offer.

Tags:

6

Answers


  1. 0

    Have you added the code signing certificate name after module path in PHP LoadModule directive in the httpd.conf file? For example in your httpd.conf file on line 187 it should now have the certificate name after the module:

    /opt/homebrew/opt/php/lib/httpd/modules/libphp.so your-certificate-name

    Login or Signup to reply.
  2. 0

    I had this same issue and the problem was that I was escaping a special character. This gave me that error:

    LoadModule php_module /usr/local/opt/[email protected]/lib/httpd/modules/libphp.so MY_CERT_COMMON_NAME

    When I changed it to this and took out the escaping in front of the @:

    LoadModule php_module /usr/local/opt/[email protected]/lib/httpd/modules/libphp.so MY_CERT_COMMON_NAME

    The error went away and I got this coveted message instead:

    [Mon Jan 17 08:16:47.071047 2022] [so:notice] [pid 85842] AH06662: Allowing module loading process to continue for module at /usr/local/opt/[email protected]/lib/httpd/modules/libphp.so because module signature matches authority "MY_CERT_COMMON_NAME" specified in LoadModule directive
    Login or Signup to reply.
  3. 0

    You can find out exactly what the matches authority name is by checking the codesigning on the module.

    codesign -dv --verbose=4 "/path/to/ModuleName.so"

    This will yield the results that include a line like:

    Authority=Developer ID Application: Example Name (XYZ12345678)

    So you would put everything after the "Authority=" into your module load directive:

    eg.

    LoadModule php8_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so "Developer ID Application: Example Name (XYZ12345678)"
    Login or Signup to reply.
  4. 0

    For me it was setting my authority certificate to "always trust" mode again after the update.

    1. go to your mac’s keychain and find your certificate
    2. right click / Get Info
    3. in the dialog open the trust tab
    4. set to "Always Trust"

    I went through the same blog article guide and you can find it there in step 29 in the section Contemporary.

    It’s as if Apple trying to ruin my apache setup with every update >.<

    Login or Signup to reply.
  5. 0

    It looks like everyone is experiencing different and unique gotchas so I’m going to add mine in hopes it helps someone else.

    1. Created Certificate Authority (set to Always Trust)
    2. Found the module’s path to sign using grep -nir "^loadmodule.*php" /etc/apache2 the output was /etc/apache2/httpd.conf:72:LoadModule php7_module /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so
    3. Used codesign to sign the module codesign --sign "YOUR_AUTHORITY_NAME" --force --keychain ~/Library/Keychains/login.keychain-db /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so
    4. Tried to restart apache using sudo apachectl -k restart and that’s when I encountered a similar error
    Unable to find code signature authority on module at /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so that matches authority name "YOUR_AUTHORITY_NAME" configured on LoadModule directive.
httpd: Syntax error on line 72 of /private/etc/apache2/httpd.conf: Code signing error - not loading module at: /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so

    To troubleshoot I used the command codesign -dv --verbose=4 "/path/to/ModuleName.so" to get the authority name, it looked identical BUT I still copied it just to make sure.

    The problem was the apostrophe character was different when certificate authority was created versus the one I manually typed in the terminal.

    Solution: Copy/paste the authority name value from the troubleshooting step Authority=YOUR_AUTHORITY_NAME into your httpd.conf file as well as using it to sign the module.

    After running codesign (step 3) command with the pasted value the output was /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so: replacing existing signature

    Restart apache sudo apachectl -k restart, received the following output

    AH06662: Allowing module loading process to continue for module at /usr/local/opt/[email protected]/lib/httpd/modules/libphp7.so because module signature matches authority "YOUR_AUTHORITYxe2x80x99s NAME" specified in LoadModule directive

    The apostrophe xe2x80x99s character was the issue in my case.

    Login or Signup to reply.
  6. 0

    if the codesign command yields this message:
    "code object is not signed at all"

    you can sign the module with a built-in utility
    instructions

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search