Finish signing phar file

Question

Finish signing phar file

tvbeek opened this issue 9 months ago · comments

PHPMD version: 2.13.0
PHP Version: -
Installation type: phive
Operating System / Distribution & Version: All

The phar file isn't signed yet because of the missing secrets:

PASSPHRASE: 
SECRET_KEY:

Marc Würth commented 9 months ago

Done

Lucas Hoffmann · Answer 1 · Mon Oct 02 2023 17:26:40 GMT+0800 (China Standard Time)

@ravage84 thanks for signing. Can you communicate the correct public key somewhere? Otherwise we might just have to accept any key on first contact and that is no better than having unsigned packages (it just means that sombody signed this blob).

Maybe a note in the README and/or the download page that "the phar is signed with this key ..."

It seems the key currently in use is E7A7 4510 2ECC 980F 7338 B307 9093 F8B3 2E48 15AA. Is that correct.

Kyle · Answer 2 · Mon Oct 02 2023 18:14:54 GMT+0800 (China Standard Time)

Yes, you can check it matches here:
https://github.com/phpmd/phpmd/actions/runs/6339367263/job/17218343327#step:10:16

Marc Würth · Answer 3 · Thu Oct 05 2023 21:29:45 GMT+0800 (China Standard Time)

@lucc All the keys available can be found here:

https://keys.openpgp.org/search?q=pgp%40phpmd.org