02 Jun 2018

How to introduce code obfuscation in your continuous delivery model

Remote ionCube logo

TL;DR

As encoding becomes a regular part of your development cycle, you may start to wonder how you can automate the process and make it part of your continuous delivery model. This article explains how to automate code obfuscation as part of your continuous delivery model.

What?

As a release manager or developer I would like to have the source code encoded when a new version is released without having to do it manually.

Why?

We used to have a machine in our office dedicated to run the ionCube software. Whenever a new version was released, someone had to manually execute a step-by-step sequence to create an encoded version thereof. The ionCube software allows you to do it very easily. However, if you have to do this frequently, the repetitive nature of it would drive you insane.

It was during this insanity that we decided to automate it. The idea is very simple: move it to a cloud server and trigger it remotely. This extended into adopting it in our deployment pipeline, making it completely automated.

 

How?

The developer pushes a tag (or a branch) to the remote repository. Bitbucket’s pipelines catches the new tag (or updated branch) and executes a script. This script connects to the remote machine via ssh and executes the ionCube encoder.

 

Pros

  • Guaranteed compatibility of source code against the version of PHP
  • Reverse engineering attempts require more effort
  • Mitigate license manipulation/abuse

Cons

  • Setup time
  • Adds some time to your CD (depends on the size of your project)

This article was also published here.

Hello World

Step-by-step walkthrough to help you get started. You should be able to adapt this into your CI/CD flow regardless of what technology you are using. 

Preparation

  1. Sign up for the ionCube Encoder trial and copy the download link (will be emailed to your inbox)
  2. Set up public key authentication to the remote server

Let’s go

  1. Copy git repo on local machine
    me@local:/my-working-dir
    git clone git@github.com:HendrikPrinsZA/ssh-ioncube.git && cd ssh-ioncube
  2. Copy git repo on remote machine 
    administrator@devops.example.com:/var/www/html (ssh)
    git clone git@github.com:HendrikPrinsZA/ssh-ioncube.git && cd ssh-ioncube
  3. Install ionCube PHP Encoder on remote machine 
    administrator@devops.example.com:/home/administrator (ssh)
    wget http://downloads3.ioncube.com/eval_download_packages/ioncube_encoder/linux_i686/en/ioncube_encoder_evaluation.tar.gz
    tar -zxvf ioncube_encoder_evaluation.tar.gz
  4. Trigger encoding from local machine 
    me@local:/my-working-dir/ssh-ioncube
    ./local.sh --host="devops.example.com" \
    --user="administrator" \
    --exec="/var/www/html/ssh-ioncube/remote.sh" \
    --source="/var/www/html/ssh-ioncube/raw" \
    --target="/var/www/html/ssh-ioncube/encoded" \
    --dir="example-app" \
    --encoder="/home/administrator/ioncube_encoder_evaluation/ioncube_encoder.sh" \
    --verbose

Continuous Delivery Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.