New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify PHIVE install GPG keys #3694
Comments
We do ship php documentor with a signature: https://github.com/phpDocumentor/phpDocumentor/releases/tag/v3.4.3 but it has been to long ago for me to remember exactly how this was done :-( Besides that since the moment we wrote about phive, I also created: https://github.com/phpDocumentor/shim |
Thank you. I have gotten it to install with this key: 8AC0BAA79732DD42 Source: https://github.com/fulldecent/phpdoc/actions/runs/8652882245/workflow#L70 Is that official or a MITM key? |
Yes, you can find our public key here: https://keys.openpgp.org/search?q=info%40phpdoc.org or fetch it with |
Thank you, got it. Added improved install instruction at #3699 |
Add gpg key to install instruction, fixes #3694
Currently documentation here recommends to install using PHIVE:
phpDocumentor/README.md
Line 79 in 919d5c1
And our recommended command is:
phpDocumentor/README.md
Line 86 in 919d5c1
PHIVE supports to specify a GPG for security:
https://github.com/phar-io/phive/blob/10e5602f8d8c964bf48bb5c369da8e131c0ab5ae/src/commands/help/help.md?plain=1#L30-L31
I suppose that always using that
--trust-gpg-keys
is best practice. So this issue is to update our documented PHIVE recommended install invocation to include the--trust-gpg-keys
argument.And this may require signing the releases of phpDocumentator, whould should be a good thing.
The text was updated successfully, but these errors were encountered: