Specify PHIVE install GPG keys

[fulldecent]

Currently documentation here recommends to install using PHIVE:

phpDocumentor/README.md

Line 79 in 919d5c1

1. Using phive (recommended)

And our recommended command is:

phpDocumentor/README.md

Line 86 in 919d5c1

`$ phive install phpDocumentor`

PHIVE supports to specify a GPG for security:

https://github.com/phar-io/phive/blob/10e5602f8d8c964bf48bb5c369da8e131c0ab5ae/src/commands/help/help.md?plain=1#L30-L31

I suppose that always using that --trust-gpg-keys is best practice. So this issue is to update our documented PHIVE recommended install invocation to include the --trust-gpg-keys argument.

And this may require signing the releases of phpDocumentator, whould should be a good thing.

[jaapio]

We do ship php documentor with a signature: https://github.com/phpDocumentor/phpDocumentor/releases/tag/v3.4.3 but it has been to long ago for me to remember exactly how this was done :-(

Besides that since the moment we wrote about phive, I also created: https://github.com/phpDocumentor/shim
which is a composer package using the signature to verify the downloaded phar. Maybe this helps you a bit?

[fulldecent]

Thank you. I have gotten it to install with this key:

8AC0BAA79732DD42

Source: https://github.com/fulldecent/phpdoc/actions/runs/8652882245/workflow#L70

Is that official or a MITM key?

[jaapio]

Yes, you can find our public key here: https://keys.openpgp.org/search?q=info%40phpdoc.org

or fetch it with gpg --recv-key 8AC0BAA79732DD42 This will add the key to your trusted keys to phive can validate.

[fulldecent]

Thank you, got it.

Added improved install instruction at #3699