Skip to content

Update for new GPG keys #1130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 13, 2025
Merged

Update for new GPG keys #1130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5296666
Update for new GPG keys
jrfnl Jun 12, 2025
deb36e2
Release checklist: improve information about regenerating the GPG key
jrfnl Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions .github/release-checklist.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,17 @@
- [ ] Verify that any new functions have type declarations (ClassName/array/callable) whenever possible.
- [ ] Verify that the license tags all refer to the _new_ organisation and no longer to Squizlabs. (easily overlooked in new files)
- [ ] Verify that `@copyright` tags in new files use `@copyright 20xx PHPCSStandards and contributors`.
- [ ] Check if the GPG key is still valid (not expired).
If it has expired, create a new key before starting the release process.
- Generate a new key following the steps here: <https://phar.io/howto/generate-gpg-key.html>.
- Upload the new key following the steps here: <https://phar.io/howto/uploading-public-keys.html>.
:warning: the command for exporting the key will export _all_ keys for the email address. This will not work as OpenPGP does not send an email to verify the key if the upload contained multiple keys.
So, first run `gpg --keyid-format LONG --list-keys [email protected]`.
Then run `gpg --export --armor KEY_ID > phpcs.pub` specifically for the new key.
And then upload the file.
- Verify the key via the link received via email.
- Update the key information in the README x 3.
- Update the key info in the verify-release GHA workflow x 2.

### Uncyclo

Expand Down Expand Up @@ -77,11 +88,6 @@ Please consider [funding the PHP_CodeSniffer project](https://opencollective.com
gpg -u [email protected] --detach-sign --output phpcs-x.x.x.phar.asc phpcs-x.x.x.phar
gpg -u [email protected] --detach-sign --output phpcbf-x.x.x.phar.asc phpcbf-x.x.x.phar
```
- If, for whatever reason, the key is no longer available or has expired:
-> generate a new key following the steps here: <https://phar.io/howto/generate-gpg-key.html>.
-> upload the new key following the steps here: <https://phar.io/howto/uploading-public-keys.html>.
-> update the key information in the README x 3.
-> update the key info in the verify-release GHA workflow.
- [ ] Get the SHA of the files for the phive.xml file
```bash
# Linux
Expand Down
11 changes: 9 additions & 2 deletions .github/workflows/verify-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,16 @@ jobs:
GH_TOKEN: ${{ github.token }}
GH_FORCE_TTY: true

- name: Download public key
- name: Download public key (May 2024)
env:
FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32"
run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"

- name: Download public key (June 2025)
env:
FINGERPRINT: "0xD91D86963AF3A29B6520462297B02DD8E5071466"
run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"

- name: Verify signature of the PHAR file
run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }}

Expand Down Expand Up @@ -200,7 +205,9 @@ jobs:
tools: phive

- name: Install
run: phive install ${{ matrix.pharfile }} --copy --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32
run: >
phive install ${{ matrix.pharfile }} --copy
--trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32,D91D86963AF3A29B6520462297B02DD8E5071466

- name: "DEBUG: List files"
run: ls -R
Expand Down
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ php phpcbf.phar -h
```

These Phars are signed with the official Release key for PHPCS with the
fingerprint `689D AD77 8FF0 8760 E046 228B A978 2203 05CD 5C32`.
fingerprint `D91D 8696 3AF3 A29B 6520 4622 97B0 2DD8 E507 1466`.

As of PHP_CodeSniffer 3.10.3, the provenance of PHAR files associated with a release can be verified via [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) using the [GitHub CLI tool](https://cli.github.com/) with the following command: `gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards`.

Expand Down Expand Up @@ -78,8 +78,8 @@ You will then be able to run PHP_CodeSniffer from the vendor bin directory:
### Phive
If you use Phive, you can install PHP_CodeSniffer as a project tool using the following commands:
```bash
phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcs
phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcbf
phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcs
phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcbf
```
You will then be able to run PHP_CodeSniffer from the `tools` directory:
```bash
Expand Down
Loading