-
-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#521 Sign PHAR builds #688
Conversation
I think we should have a key for the project, but except that I think it is a good idea! |
Who's in charge of phpmd.org and could create an email address and an organisation key? |
I think @ravage84 is the person for creating the key. |
@tvbeek I'm on it. |
https://github.com/phpmd/phpmd/releases/tag/2.7.0 has a signature now. Hope it's correct. |
.travis.yml
Outdated
- | | ||
if [[ $BUILD_PHAR = 'true' ]]; then | ||
git submodule update --init && ant package -D-phar:filename=./phpmd.phar && ./phpmd.phar --version; | ||
gpg -u kylekatarnls@gmail.com --detach-sign --output ./phpmd.phar.asc ./phpmd.phar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Email should be pgp@phpmd.org
I have created a pgp private/public key pair and published the key as mentioned here. @kylekatarnls is there anything else to be done? |
It's not working yet. The key is not available here: https://keys.openpgp.org/search?q=pgp%40phpmd.org The error I'm getting from phive is:
@ravage84 Maybe you can try to submit it here? https://keys.openpgp.org/upload |
Our how-to page suggests to upload keys to Given that there are various issues with their approach on how to handle public keys, signatures as well as the actual server software, a new keyserver software has been developed along with a different concept on how to manage keys: Enter keys.openpgp.org. Given that That being said: The new server doesn't sync with the old world. So it's expected not to be found. That shouldn't be a problem per se as As already mentioned and as Are you sure the upload worked? Best option would be to register it on keys.openpgp.org. Please make sure the key id the key you register equals the one If you need any assistance, please just ping me. |
I'm pretty sure it worked last night. But soon after the seemingly succefful upload, the website had some serious problems. Wasn't me... 😁 I noticed I created two keys last night, of which I revoked one. I think I used the revoked one to sign the phar. Anyway, I extracted and uploaded the pub key again to pgp.mit.edu and to keys.openpgp.org. And it seems to have worked.
Thanks guys for your support. @theseer @steffenbrand |
Thanks a lot. I'm really grateful for the work you guys do! |
Glad it worked. Two Small notes:
|
I thought so, but the documentation isn't really clear about that. Trying to fix that: phar-io/phar.io/pull/66
We will, once everything works as it should (after this PR is merged, I guess). Thanks again! |
15d0b22
to
e056477
Compare
Infection does it nicely. |
e056477
to
60ac9fa
Compare
3900e1e
to
9733175
Compare
Type: feature
Breaking change: no
Sign PHAR builds with GPG key.
Fix #723
Fix #521