Phar Signing

PHPMD Phar Signing

To set up signing of the PHPMD phar files, the following must be done.

1. Create PGP Key pair

   With a passphrase using GnuPG on Linux or "Kleopatra" from Gpg4Win on Windows

   • Name = "PHPMD (PHP Mess Detector)"
   • E-Mail = "pgp@phpmd.org"
   • Expires = never

2. Document private key, passphrase, public key and revocation certificate in PHPMD/PDepend's Passbolt

   Under "PHPMD" => "PGP":

   • PGP PHPMD Private Key
   • PGP PHPMD Passphrase
   • PGP PHPMD Public Key
   • PGP PHPMD Revocation Certificate

3. Publish public key on key server

   1. Export public key file
   2. Upload public key file to https://keys.openpgp.org/upload
   3. Manage public key https://keys.openpgp.org/manage
   4. Check E-Mail account "pgp@phpmd.org" for E-Mails from key server (ask @ravage84)
   5. Verify E-mail associated with public key
   6. Check public key on key server https://keys.openpgp.org/search?q=pgp%40phpmd.org

4. Setup GitHub Actions Secrets

   Add the necessary GitHub action secrets under "Repository secrets" in the PHPMD GitHub repo:

   • PASSPHRASE = (PGP PHPMD Passphrase)
   • SECRET_KEY = (PGP PHPMD Private Key)

   https://github.com/phpmd/phpmd/settings/secrets/actions

5. Setup Phar Signing in GitHub Action

   Set up signing in the GitHub action that generates the phar file:

   https://github.com/phpmd/phpmd/blob/master/.github/workflows/generate_phar.yml

   Using "pgp@phpmd.org" as signing e-mail address.

   PASSPHRASE: ${{ secrets.PASSPHRASE }}
   SECRET_KEY: ${{ secrets.SECRET_KEY }}
   

   echo "$SECRET_KEY" > keys.asc;
   echo "$PASSPHRASE" | gpg --batch --import keys.asc;
   sh -c "echo $PASSPHRASE | gpg --command-fd 0 --pinentry-mode loopback -u pgp@phpmd.org --batch --detach-sign --output phpmd.phar.asc phpmd.phar";
   

Some Useful Commands

gpg --refresh-keys
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys pgp@phpmd.org

phive install phpmd
phive install phpmd/phpmd