Unable to Install PHPCS using PHIVE

[donkidd]

Describe the bug

I am unable to Install phpcs using phive

Code sample

When Attempting to do phive install using either Phive 0.15.3 or Phive 0.16.0 I get the same error

phive install https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar  
Phive 0.15.3 - Copyright (C) 2015-2025 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar
Downloading https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar.asc
[ERROR]    Signature could not be verified 
[ERROR]    unknown error code 

To reproduce

phive install phpcs

Expected behavior

PHPCS should be installed via phive

Additional context

When I verify the gpg key using gpg --verify I get a message that the key has expired, so I believe that the key needs to be updated and this problem will be resolved.

gpg --verify phpcs-3.13.0.phar.asc phpcs-3.13.0.phar
gpg: Signature made Sun May 11 04:19:24 2025 UTC
gpg:                using RSA key 689DAD778FF08760E046228BA978220305CD5C32
gpg:                issuer "juliette@phpcodesniffer.com"
gpg: Good signature from "Juliette Reinders Folmer (Release key for PHPCS) <juliette@phpcodesniffer.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 689D AD77 8FF0 8760 E046  228B A978 2203 05CD 5C32

Please confirm

• [X ] I have searched the issue list and am not opening a duplicate issue.
• [ X] I have read the Contribution Guidelines and this is not a support question.
• I confirm that this bug is a bug in PHP_CodeSniffer and not in one of the external standards.
• [] I have verified the issue still exists in the master branch of PHP_CodeSniffer.

[jrfnl]

@donkidd Thanks for reporting this, however I cannot reproduce the issue when installing via PHIVE. Tested on both Windows as well as Linux.

Expired keys should still allow for verification of the release. The key was valid at the date of signing, so there's no problem there.
Also note that PHIVE already verifies the signature when downloading and installing, so you do not need to run gpg --verify yourself.

And yes, I'm aware that the key has expired. The next release will use a new key as the gpg key is being replaced every year as per recommended security practices.

[donkidd]

I just did the gpg --verify to see what. the error might be.

The problem I'm facing locally and when trying to add phpcs to a docker image we use for local development is that I get this unknown error, and I'm trying to determine its cause and a resolution

phive install https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar  
Phive 0.15.3 - Copyright (C) 2015-2025 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar
Downloading https://phars.phpcodesniffer.com/phars/phpcs-3.13.0.phar.asc
[ERROR]    Signature could not be verified 
[ERROR]    unknown error code 

• What version of PHIVE are you using?
• Did you specify a version of phpcs?

[jrfnl]

I tested with Phive 0.16.0 and tested both with and without specifying the version of PHPCS as well as testing with specifying the URL versus using the alias. All worked fine.

To be honest, this doesn't sound like a problem with PHPCS. You may want to open an issue in the Phive repo instead.

[donkidd]

This issue is that I am only have this issue with PHPCS, I can PHPUNit & PHPSTAN with phive just not phpcs.

[jrfnl]

@donkidd That is as it may be, but this still sounds like a PHIVE issue and one specific to your install. Without being able to reproduce the issue, I honestly don't know what you expect me to do.

[donkidd]

@jrfnl

I'm still trying to understand what you are doing that is working for you that isn't working for me
The date that the key expired corresponds to when my install stopped working, so what am I missing.

gpg --list-keys 689DAD778FF08760E046228BA978220305CD5C32
pub   rsa4096 2024-05-20 [SC] [expired: 2025-05-20]
      689DAD778FF08760E046228BA978220305CD5C32
uid           [ expired] Juliette Reinders Folmer (Release key for PHPCS) <juliette@phpcodesniffer.com>

FYI, I have opened an issue with Phive but I'm just stuck in the water right now unsure where to go/how to fix this issue.

[jrfnl]

FYI, I have opened an issue with Phive...

For the record - this is the sister-issue in the Phive repo: phar-io/phive#448

... I'm just stuck in the water right now unsure where to go/how to fix this issue.

@donkidd I honestly don't know what I can tell you - I even re-ran the CI check we do on releases, which includes a check that installation via Phive works successfully and the install worked fine (build fails, but that is due to issue phar-io/phive#154).

I had a weird issue with Phive myself a while back, which turned out to be related to some unexpected file corruption.

You may want to try to clear out the phar file cache and possibly check your gpg install. The issue I linked above should give you some idea of things you could check.