Merge pull request #1130 from PHPCSStandards/feature/update-gpg-key-info

jrfnl · web-flow · commit 5b7cf795501b · 2025-06-13T03:56:19.000+02:00
Update for new GPG keys
diff --git a/.github/release-checklist.md b/.github/release-checklist.md
@@ -8,6 +8,17 @@
 - [ ] Verify that any new functions have type declarations (ClassName/array/callable) whenever possible.
 - [ ] Verify that the license tags all refer to the _new_ organisation and no longer to Squizlabs. (easily overlooked in new files)
 - [ ] Verify that `@copyright` tags in new files use `@copyright 20xx PHPCSStandards and contributors`.
+- [ ] Check if the GPG key is still valid (not expired).
+    If it has expired, create a new key before starting the release process.
+    - Generate a new key following the steps here: <https://phar.io/howto/generate-gpg-key.html>.
+    - Upload the new key following the steps here: <https://phar.io/howto/uploading-public-keys.html>.
+        :warning: the command for exporting the key will export _all_ keys for the email address. This will not work as OpenPGP does not send an email to verify the key if the upload contained multiple keys.
+        So, first run `gpg --keyid-format LONG --list-keys my@email.com`.
+        Then run `gpg --export --armor KEY_ID > phpcs.pub` specifically for the new key.
+        And then upload the file.
+    - Verify the key via the link received via email.
+    - Update the key information in the README x 3.
+    - Update the key info in the verify-release GHA workflow x 2.
 
 ### Wiki
 
@@ -77,11 +88,6 @@ Please consider [funding the PHP_CodeSniffer project](https://opencollective.com
     gpg -u my@email.com --detach-sign --output phpcs-x.x.x.phar.asc phpcs-x.x.x.phar
     gpg -u my@email.com --detach-sign --output phpcbf-x.x.x.phar.asc phpcbf-x.x.x.phar
     ```
-    - If, for whatever reason, the key is no longer available or has expired:
-      -> generate a new key following the steps here: <https://phar.io/howto/generate-gpg-key.html>.
-      -> upload the new key following the steps here: <https://phar.io/howto/uploading-public-keys.html>.
-      -> update the key information in the README x 3.
-      -> update the key info in the verify-release GHA workflow.
 - [ ] Get the SHA of the files for the phive.xml file
     ```bash
     # Linux
diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml
@@ -113,11 +113,16 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           GH_FORCE_TTY: true
 
-      - name: Download public key
+      - name: Download public key (May 2024)
         env:
           FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32"
         run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"
 
+      - name: Download public key (June 2025)
+        env:
+          FINGERPRINT: "0xD91D86963AF3A29B6520462297B02DD8E5071466"
+        run: gpg --keyserver "hkps://keys.openpgp.org" --recv-keys "$FINGERPRINT"
+
       - name: Verify signature of the PHAR file
         run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }}
 
@@ -200,7 +205,9 @@ jobs:
           tools: phive
 
       - name: Install
-        run: phive install ${{ matrix.pharfile }} --copy --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32
+        run: >
+          phive install ${{ matrix.pharfile }} --copy
+          --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32,D91D86963AF3A29B6520462297B02DD8E5071466
 
       - name: "DEBUG: List files"
         run: ls -R
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ php phpcbf.phar -h
 ```
 
 These Phars are signed with the official Release key for PHPCS with the
-fingerprint `689D AD77 8FF0 8760 E046 228B A978 2203 05CD 5C32`.
+fingerprint `D91D 8696 3AF3 A29B 6520 4622 97B0 2DD8 E507 1466`.
 
 As of PHP_CodeSniffer 3.10.3, the provenance of PHAR files associated with a release can be verified via [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) using the [GitHub CLI tool](https://cli.github.com/) with the following command: `gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards`.
 
@@ -78,8 +78,8 @@ You will then be able to run PHP_CodeSniffer from the vendor bin directory:
 ### Phive
 If you use Phive, you can install PHP_CodeSniffer as a project tool using the following commands:
 ```bash
-phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcs
-phive install --trust-gpg-keys 689DAD778FF08760E046228BA978220305CD5C32 phpcbf
+phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcs
+phive install --trust-gpg-keys D91D86963AF3A29B6520462297B02DD8E5071466 phpcbf
 ```
 You will then be able to run PHP_CodeSniffer from the `tools` directory:
 ```bash
