Make phpcs installable via Phive ( #1082

sebastianfeldmann opened this Issue Jul 21, 2016 · 2 comments


None yet

4 participants


PHIVE can be used to install PHARs, a kind of composer for PHAR files.
The good thing is, it verifys the downloaded file via GPG signature to make sure you installed the right tool.


Add a signature file to your github releases


-- Copied from the phive howto ( --

Create a signature

You need a personal or company GPG key. If you don't have one, this explains how to generate a GPG key.

gpg -u --detach-sign --output your.phar.asc your.phar

About the options:

  • -u (optional) Provide a search term for the USER-ID you intend to use, if you have more than one.
  • --detach-sign Create a detached signature (do not wrap the original file).
  • --output Specify the filename of the signature (PHIVE currently searches for your.phar.asc).
  • Last argument is the PHAR you want to sign.

Upload in GitHub's release section

  1. - Go to
  2. - Klick "Edit" on your latest tag/release
  3. - Add your.phar and your.phar.asc in the "Attach binaries..." section
  4. - Klick "Update release"

You should add a GPG-key (maybe the same one) for phpcbf.phar too. It would really help handling tools for those who don't like to add them as dev-dependency.

aik099 commented Jan 19, 2017

Just to verify:

  1. the PHAR file remains unchanged
  2. the .phar.asc file containing GPG signature is added next to in in release attachments


If you're downloading PHAR over HTTPS, then signature isn't needed. The package prooves that (in there signature is used to differentiate between different PHAR versions only).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment