Phar Signing
Marc Würth edited this page Sep 15, 2023
·
1 revision
To set up signing of the PHPMD phar files, the following must be done.
-
Create PGP Key pair
With a passphrase using GnuPG on Linux or "Kleopatra" from Gpg4Win on Windows
- Name = "PDepend"
- E-Mail = "pgp@pdepend.org"
- Expires = never
-
Document private key, passphrase, public key and revocation certificate in PHPMD/PDepend's Passbolt
Under "PDepend" => "PGP":
- PGP PDepend Private Key
- PGP PDepend Passphrase
- PGP PDepend Public Key
- PGP PDepend Revocation Certificate
-
Publish public key on key server
- Export public key file
- Upload public key file to https://keys.openpgp.org/upload
- Manage public key https://keys.openpgp.org/manage
- Check E-Mail account "pgp@pdepend.org" for E-Mails from key server (ask @ravage84)
- Verify E-mail associated with public key
- Check public key on key server https://keys.openpgp.org/search?q=pgp%40pdepend.org
-
Setup GitHub Actions Secrets
Add the necessary GitHub action secrets under "Repository secrets" in the PDepend GitHub repo:
- PASSPHRASE = (PGP PDepend Passphrase)
- SECRET_KEY = (PGP PDepend Private Key)
-
Setup Phar Signing in GitHub Action
Set up signing in the GitHub action that generates the phar file:
https://github.com/pdepend/pdepend/blob/master/.github/workflows/generate_phar.yml
Using "pgp@pdepend.org" as signing e-mail address.
PASSPHRASE: ${{ secrets.PASSPHRASE }} SECRET_KEY: ${{ secrets.SECRET_KEY }}
echo "$SECRET_KEY" > keys.asc; echo "$PASSPHRASE" | gpg --batch --import keys.asc; sh -c "echo $PASSPHRASE | gpg --command-fd 0 --pinentry-mode loopback -u pgp@pdepend.org --batch --detach-sign --output pdepend.phar.asc pdepend.phar";
gpg --refresh-keys
gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys pgp@pdepend.org
phive install pdepend
phive install pdepend/pdepend