#521 Sign PHAR builds

[kylekatarnls]

Type: feature
Breaking change: no

Sign PHAR builds with GPG key.

Fix #723
Fix #521

[tvbeek]

I think we should have a key for the project, but except that I think it is a good idea!

[steffenbrand]

I think we should have a key for the project, but except that I think it is a good idea!

Who's in charge of phpmd.org and could create an email address and an organisation key?

[tvbeek]

I think @ravage84 is the person for creating the key.

[ravage84]

@tvbeek I'm on it.

[ravage84]

https://github.com/phpmd/phpmd/releases/tag/2.7.0 has a signature now. Hope it's correct.

[ravage84]

Email should be pgp@phpmd.org

[ravage84]

I have created a pgp private/public key pair and published the key as mentioned here.

@kylekatarnls is there anything else to be done?

[steffenbrand]

I have created a pgp private/public key pair and published the key as mentioned here.

@kylekatarnls is there anything else to be done?

It's not working yet.
Maybe you published the key, but it hasn't actually been "published" yet.
Or maybe something went wrong :)
I don't know much about this whole GPG key topic :-/

The key is not available here: https://keys.openpgp.org/search?q=pgp%40phpmd.org
And the pgp.mit.edu server does not respond to the public key 0213D2C02C101FE2 as well.

The error I'm getting from phive is:

phive install phpmd/phpmd
Phive 0.13.2 - Copyright (C) 2015-2019 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/phpmd/phpmd/releases
Downloading https://github.com/phpmd/phpmd/releases/download/2.7.0/phpmd.phar
Downloading https://github.com/phpmd/phpmd/releases/download/2.7.0/phpmd.phar.asc
Downloading key 0213D2C02C101FE2
[...]
[ERROR]    PublicKey 0213D2C02C101FE2 not found on key servers

@ravage84 Maybe you can try to submit it here? https://keys.openpgp.org/upload
Or maybe @theseer can give a hint?

[theseer]

Our how-to page suggests to upload keys to pgp.mit.edu. That's a server which is part of the "classic" sks keyserver pool.

Given that there are various issues with their approach on how to handle public keys, signatures as well as the actual server software, a new keyserver software has been developed along with a different concept on how to manage keys: Enter keys.openpgp.org.

Given that phive with 0.13.2 seems to be working with the old as well as the new keyserver types as well as gpg 1 and 2, we're likely to change our how-to to keys.openpgp.org soon. Maybe I even have time to do that tomorrow.

That being said: The new server doesn't sync with the old world. So it's expected not to be found. That shouldn't be a problem per se as phive still uses the sks pool as secondary source.

As already mentioned and as phive complains about, neither key server knows about the aforementioned key.

Are you sure the upload worked? Best option would be to register it on keys.openpgp.org. Please make sure the key id the key you register equals the one phive is trying to find - or in other terms: make sure you upload the public key matching the private key used to sign the phar.

If you need any assistance, please just ping me.

[ravage84]

I'm pretty sure it worked last night. But soon after the seemingly succefful upload, the website had some serious problems. Wasn't me... 😁

I noticed I created two keys last night, of which I revoked one. I think I used the revoked one to sign the phar.

Anyway, I extracted and uploaded the pub key again to pgp.mit.edu and to keys.openpgp.org.
Also, I signed the phar again, this time with the key intended.

And it seems to have worked.

D:\dev\phive>php phive.phar install phpmd/phpmd
Phive 0.13.2 - Copyright (C) 2015-2019 by Arne Blankerts, Sebastian Heuer and Co
ntributors
Downloading https://api.github.com/repos/phpmd/phpmd/releases
←[2KDownloading https://github.com/phpmd/phpmd/releases/download/2.7.0/phpmd.pha
r
←[2KDownloading https://github.com/phpmd/phpmd/releases/download/2.7.0/your.phar
.asc
←[2KDownloading key 0F9684B8B16B7AB0=============>| 581 B / 581 B - 100%
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x0F968
4B8B16B7AB0
←[2KSuccessfully downloaded key.=================>| 3.08 KB / 3.08 KB - 100%

        Fingerprint: 3C68 40FC AFFB B059 F283 8A2C 0F96 84B8 B16B 7AB0

        PHPMD (PHP Mess Detector) <pgp@phpmd.org>

        Created: 2019-10-29

Import this key? [y|N] y
Linking C:\Users\Marc W├╝rth\.phive\phars/phpmd/phpmd-2.7.0.phar to D:\dev\phive
\tools/phpmd.bat

Thanks guys for your support. @theseer @steffenbrand

[steffenbrand]

Thanks a lot. I'm really grateful for the work you guys do!

[theseer]

Glad it worked.

Two Small notes:

• Technically, the signature file is supposed to be called phpmd.phar.asc rather than your.phar.asc ;-)

• You might want to register phpmd as an install alias. Simply open a PR against the repositories.xml file.

[ravage84]

Technically, the signature file is supposed to be called phpmd.phar.asc rather than your.phar.asc ;-)

I thought so, but the documentation isn't really clear about that. Trying to fix that: phar-io/phar.io/pull/66

You might want to register phpmd as an install alias. Simply open a PR against the repositories.xml file.

We will, once everything works as it should (after this PR is merged, I guess).

Thanks again!

[ddebin]

Infection does it nicely.