PHIVE can be used to install PHARs, a kind of composer for PHAR files.
The good thing is, it verifys the downloaded file via GPG signature to make sure you installed the right tool.
Add a signature file to your github releases
-- Copied from the phive howto (https://phar.io/howto/sign-and-upload-to-github.html) --
You need a personal or company GPG key. If you don't have one, this explains how to generate a GPG key.
gpg -u firstname.lastname@example.org --detach-sign --output your.phar.asc your.phar
About the options:
You should add a GPG-key (maybe the same one) for phpcbf.phar too. It would really help handling tools for those who don't like to add them as dev-dependency.
Just to verify:
If you're downloading PHAR over HTTPS, then signature isn't needed. The https://github.com/padraic/phar-updater package prooves that (in there signature is used to differentiate between different PHAR versions only).