In here why don't we just verify the public key before trying to use it?

        // When public key is invalid, openssl throws a
        // 'supplied key param cannot be coerced into a public key' warning
        // and phar ignores sig verification.
        // We need to protect from that by catching the warning

I think openssl_pkey_get_public($certificate) would do the job. So this is an input validation task, which should be in the setter and not in the processing code as some kind of workaround...

Btw why don't you send an issue about this feature. Maybe phar maintainers add it to the next release. (it is weird to talk about libs which haven't have maintenance for such a long time)