Giters

phpmd / phpmd

PHPMD is a spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD. PHPMD can be seen as an user friendly frontend application for the raw metrics stream measured by PHP Depend.

Home Page:https://phpmd.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unexpected change of the PHAR signature for all releases from 2.10.0 to 2.12.0

vertexvaar opened this issue · comments

commented
  • PHPMD version: 2.10.0 - 2.12.0
  • PHP Version: #.#.#
  • Installation type: phive
  • Operating System / Distribution & Version: linux

Current Behavior

The signature of all releases from 2.10.0 to 2.12.0 changed 19 hours ago and was signed by a signing with the mail phpmd@proton.me. From what i understood, the mail should be pgp@phpmd.org instead (#688 (comment)) and was used prior to the signature change.
It seems to be (at least timely) related to the PR #688

Downloading https://github.com/phpmd/phpmd/releases/download/2.12.0/phpmd.phar
Downloading https://github.com/phpmd/phpmd/releases/download/2.12.0/phpmd.phar.asc
Downloading key A4E55EA12C7C085C
Trying to connect to keys.openpgp.org (37.218.245.[50](https://gitlab.in2code.de/in2code-Team/dzne/-/jobs/174257#L50))
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xA4E55EA12C7C085C
Successfully downloaded key.
	Fingerprint: 9882 DD2B 3881 3C08 EA65 1B69 A4E5 5EA1 2C7C 085C
	PHPMD (PHPMD Phar Releases Signer) <phpmd@proton.me>
	Created: 2022-08-22
Import this key? [y|N]

Expected Behavior

I expect the signatures to be signed by the key belonging to pgp@phpmd.org

Steps To Reproduce:

Install phpmd with phive (maybe clear your imported keys from ~.phive before)

Checks before submitting

  • Be sure that there isn't already an issue about this. See: Issues list
  • Be sure that there isn't already a pull request about this. See: Pull requests
  • I have added every step to reproduce the bug.
  • If possible I added relevant code examples.
  • This issue is about 1 bug and nothing more.
  • The issue has a descriptive title. For example: "JSON rendering failed on Windows for filenames with space".
commented

It's not unexpected that the signature is changed. I don't know if that is the case for the email address.

commented

It didn't change, 2.10.0 to 2.12.0 releases were not signed at all until yesterday.

I signed them with an other key to unlock the install of the new releases, we'll change signature back to the key for pgp@phpmd.org if we finish to automate the process.

But as mentioned in #960 (comment)

Fingerprint: 9882 DD2B 3881 3C08 EA65 1B69 A4E5 5EA1 2C7C 085C
PHPMD (PHPMD Phar Releases Signer) <phpmd@proton.me>

is ours and can be trusted.

commented

Thank you for clarification 👍