-
-
Notifications
You must be signed in to change notification settings - Fork 344
Phar Signing
Marc Würth edited this page Sep 15, 2023
·
1 revision
To set up signing of the PHPMD phar files, the following must be done.
-
Create PGP Key pair
With a passphrase using GnuPG on Linux or "Kleopatra" from Gpg4Win on Windows
- Name = "PHPMD (PHP Mess Detector)"
- E-Mail = "pgp@phpmd.org"
- Expires = never
-
Document private key, passphrase, public key and revocation certificate in PHPMD/PDepend's Passbolt
Under "PHPMD" => "PGP":
- PGP PHPMD Private Key
- PGP PHPMD Passphrase
- PGP PHPMD Public Key
- PGP PHPMD Revocation Certificate
-
Publish public key on key server
- Export public key file
- Upload public key file to https://keys.openpgp.org/upload
- Manage public key https://keys.openpgp.org/manage
- Check E-Mail account "pgp@phpmd.org" for E-Mails from key server (ask @ravage84)
- Verify E-mail associated with public key
- Check public key on key server https://keys.openpgp.org/search?q=pgp%40phpmd.org
-
Setup GitHub Actions Secrets
Add the necessary GitHub action secrets under "Repository secrets" in the PHPMD GitHub repo:
- PASSPHRASE = (PGP PHPMD Passphrase)
- SECRET_KEY = (PGP PHPMD Private Key)
-
Setup Phar Signing in GitHub Action
Set up signing in the GitHub action that generates the phar file:
https://github.com/phpmd/phpmd/blob/master/.github/workflows/generate_phar.yml
Using "pgp@phpmd.org" as signing e-mail address.
PASSPHRASE: ${{ secrets.PASSPHRASE }} SECRET_KEY: ${{ secrets.SECRET_KEY }}
echo "$SECRET_KEY" > keys.asc; echo "$PASSPHRASE" | gpg --batch --import keys.asc; sh -c "echo $PASSPHRASE | gpg --command-fd 0 --pinentry-mode loopback -u pgp@phpmd.org --batch --detach-sign --output phpmd.phar.asc phpmd.phar";
gpg --refresh-keys
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys pgp@phpmd.org
phive install phpmd
phive install phpmd/phpmd