Update for new GPG keys

jrfnl · jrfnl · commit 5296666b6377 · 2025-06-12T19:30:44.000+02:00
The GPG key expires every year - as per the recommendation, so a new key has been generated and uploaded to the openpgp database.
diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml
@@ -113,11 +113,16 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           GH_FORCE_TTY: true
 
-      - name: Download public key
+      - name: Download public key (May 2024)
         env:
           FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32"
         run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"
 
+      - name: Download public key (June 2025)
+        env:
+          FINGERPRINT: "0xD91D86963AF3A29B6520462297B02DD8E5071466"
+        run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"
+
       - name: Verify signature of the PHAR file
         run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }}
 
@@ -200,7 +205,9 @@ jobs:
           tools: phive
 
       - name: Install
-        run: phive install ${{ matrix.pharfile }} --copy --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32
+        run: >
+          phive install ${{ matrix.pharfile }} --copy
+          --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32,D91D86963AF3A29B6520462297B02DD8E5071466
 
       - name: "DEBUG: List files"
         run: ls -R
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ php phpcbf.phar -h
 ```
 
 These Phars are signed with the official Release key for PHPCS with the
-fingerprint `689D AD77 8FF0 8760 E046 228B A978 2203 05CD 5C32`.
+fingerprint `D91D 8696 3AF3 A29B 6520 4622 97B0 2DD8 E507 1466`.
 
 As of PHP_CodeSniffer 3.10.3, the provenance of PHAR files associated with a release can be verified via [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) using the [GitHub CLI tool](https://cli.github.com/) with the following command: `gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards`.
 
@@ -78,8 +78,8 @@ You will then be able to run PHP_CodeSniffer from the vendor bin directory:
 ### Phive
 If you use Phive, you can install PHP_CodeSniffer as a project tool using the following commands:
 ```bash
-phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcs
-phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcbf
+phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcs
+phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcbf
 ```
 You will then be able to run PHP_CodeSniffer from the `tools` directory:
 ```bash
