Unexpected change of the PHAR signature for all releases from 2.10.0 to 2.12.0
vertexvaar opened this issue · comments
- PHPMD version: 2.10.0 - 2.12.0
- PHP Version: #.#.#
- Installation type: phive
- Operating System / Distribution & Version: linux
Current Behavior
The signature of all releases from 2.10.0 to 2.12.0 changed 19 hours ago and was signed by a signing with the mail phpmd@proton.me
. From what i understood, the mail should be pgp@phpmd.org
instead (#688 (comment)) and was used prior to the signature change.
It seems to be (at least timely) related to the PR #688
Downloading https://github.com/phpmd/phpmd/releases/download/2.12.0/phpmd.phar
Downloading https://github.com/phpmd/phpmd/releases/download/2.12.0/phpmd.phar.asc
Downloading key A4E55EA12C7C085C
Trying to connect to keys.openpgp.org (37.218.245.[50](https://gitlab.in2code.de/in2code-Team/dzne/-/jobs/174257#L50))
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xA4E55EA12C7C085C
Successfully downloaded key.
Fingerprint: 9882 DD2B 3881 3C08 EA65 1B69 A4E5 5EA1 2C7C 085C
PHPMD (PHPMD Phar Releases Signer) <phpmd@proton.me>
Created: 2022-08-22
Import this key? [y|N]
Expected Behavior
I expect the signatures to be signed by the key belonging to pgp@phpmd.org
Steps To Reproduce:
Install phpmd with phive (maybe clear your imported keys from ~.phive before)
Checks before submitting
- Be sure that there isn't already an issue about this. See: Issues list
- Be sure that there isn't already a pull request about this. See: Pull requests
- I have added every step to reproduce the bug.
- If possible I added relevant code examples.
- This issue is about 1 bug and nothing more.
- The issue has a descriptive title. For example: "JSON rendering failed on Windows for filenames with space".
It's not unexpected that the signature is changed. I don't know if that is the case for the email address.
It didn't change, 2.10.0 to 2.12.0 releases were not signed at all until yesterday.
I signed them with an other key to unlock the install of the new releases, we'll change signature back to the key for pgp@phpmd.org
if we finish to automate the process.
But as mentioned in #960 (comment)
Fingerprint: 9882 DD2B 3881 3C08 EA65 1B69 A4E5 5EA1 2C7C 085C
PHPMD (PHPMD Phar Releases Signer) <phpmd@proton.me>
is ours and can be trusted.
Thank you for clarification 👍