Make phpcs installable via Phive (phar.io) #1082

Open
sebastianfeldmann opened this Issue Jul 21, 2016 · 2 comments

Projects

None yet

4 participants

@sebastianfeldmann

PHIVE can be used to install PHARs, a kind of composer for PHAR files.
The good thing is, it verifys the downloaded file via GPG signature to make sure you installed the right tool.

ToDo

Add a signature file to your github releases

HowTo

-- Copied from the phive howto (https://phar.io/howto/sign-and-upload-to-github.html) --

Create a signature

You need a personal or company GPG key. If you don't have one, this explains how to generate a GPG key.

gpg -u john@doe.com --detach-sign --output your.phar.asc your.phar

About the options:

  • -u (optional) Provide a search term for the USER-ID you intend to use, if you have more than one.
  • --detach-sign Create a detached signature (do not wrap the original file).
  • --output Specify the filename of the signature (PHIVE currently searches for your.phar.asc).
  • Last argument is the PHAR you want to sign.

Upload in GitHub's release section

  1. - Go to https://github.com///releases
  2. - Klick "Edit" on your latest tag/release
  3. - Add your.phar and your.phar.asc in the "Attach binaries..." section
  4. - Klick "Update release"
@KingCrunch

You should add a GPG-key (maybe the same one) for phpcbf.phar too. It would really help handling tools for those who don't like to add them as dev-dependency.

@aik099
Contributor
aik099 commented Jan 19, 2017

Just to verify:

  1. the PHAR file remains unchanged
  2. the .phar.asc file containing GPG signature is added next to in in release attachments

?

If you're downloading PHAR over HTTPS, then signature isn't needed. The https://github.com/padraic/phar-updater package prooves that (in there signature is used to differentiate between different PHAR versions only).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment