Automatic key import fails

[temp]

When calling

$ '/php74/tools/src/phive.phar' '--no-progress' 'install' '--copy' '--target' '/php74/tools/src/build/usr/bin' '--trust-gpg-keys' 'F4D32E2C9343B2AE' 'composer-unused'

with phive 0.14.2, it asks for permission (which I can't give, since this is an automated build).

[WARNING] This is NOT a key that has been used to install previous versions of this PHAR.
           While this can be perfectly valid (maybe the maintainer switched to a new key),
           please make sure this key belongs to the maintainer of the PHAR you are going to install.

	Fingerprint: D969 E610 2643 4DFE 4D64 1764 F4D3 2E2C 9343 B2AE

	Andreas Frömer <[email protected]>

	Created: 2020-02-16

Import this key? [y|N]

At first I thought this worked in phive 0.14, but looking at the WARNING I guess this is because of the key-change in composer-unused/composer-unused#81?

[theseer]

This looks a bit like the same issue as #222

Looking at the code though, I don't see why that would happen. Unfortunately, I cannot reproduce this with composer-unused as I can't install the previous version.

[temp]

Same problem again, this time with phan:

$ 'phive.phar' '--no-progress' 'install' '--copy' '--trust-gpg-keys' '8101FB57DD8130F0' 'phan'
Phive 0.14.4 - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/phan/phan/releases
Downloading https://github.com/phan/phan/releases/download/2.7.3/phan.phar
Downloading https://github.com/phan/phan/releases/download/2.7.3/phan.phar.asc
Downloading key 8101FB57DD8130F0
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x8101FB57DD8130F0
Successfully downloaded key.
[WARNING] This is NOT a key that has been used to install previous versions of this PHAR.
           While this can be perfectly valid (maybe the maintainer switched to a new key),
           please make sure this key belongs to the maintainer of the PHAR you are going to install.

	Fingerprint: A618 F385 C2FC 0029 69A8 9FBE 8101 FB57 DD81 30F0

	Tyson Andre <[email protected]>

	Created: 2020-06-21

Import this key? [y|N]
    >>> ERROR: [ERROR]   Needs tty to be able to confirm

[temp]

I guess the error can be forced by installing an older version of phan first, then the current version.

[theseer]

I'll have a look over the weekend.

[theseer]

sigh I can't reproduce this:

theseer@nyda /tmp/x6 $ phive --home ./phive --no-progress  install --copy  [email protected]
Phive 0.14.4-6-g956ee5e - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://api.github.com/repos/phan/phan/releases
Downloading https://github.com/phan/phan/releases/download/2.6.1/phan.phar
Downloading https://github.com/phan/phan/releases/download/2.6.1/phan.phar.asc
Downloading key AFA6EAAB339B841E
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xAFA6EAAB339B841E
Successfully downloaded key.
[WARNING]  Parsing key data failed with error code 0: No UIDs in key found 
Trying to connect to keyserver.ubuntu.com (162.213.33.8)
Successfully downloaded key.

	Fingerprint: DD0E 869F 43C6 D0B1 0E2E 2F19 AFA6 EAAB 339B 841E

	Tyson Andre <[email protected]>

	Created: 2018-06-09

Import this key? [y|N] y
Copying phan-2.6.1.phar to /tmp/x6/tools/phan

Okay, 2.6.1 installed. Now let's get a 2.7 release with trust-gpg-keys switch:

theseer@nyda /tmp/x6 $ phive --home ./phive --no-progress install --copy --trust-gpg-keys  8101FB57DD8130F0 phan@^2.7
Phive 0.14.4-6-g956ee5e - Copyright (C) 2015-2020 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://github.com/phan/phan/releases/download/2.7.3/phan.phar
Downloading https://github.com/phan/phan/releases/download/2.7.3/phan.phar.asc
Downloading key 8101FB57DD8130F0
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x8101FB57DD8130F0
Successfully downloaded key.
[WARNING]  This is NOT a key that has been used to install previous versions of this PHAR.
           While this can be perfectly valid (maybe the maintainer switched to a new key),
           please make sure this key belongs to the maintainer of the PHAR you are going to install. 

	Fingerprint: A618 F385 C2FC 0029 69A8 9FBE 8101 FB57 DD81 30F0

	Tyson Andre <[email protected]>

	Created: 2020-06-21

Copying phan-2.7.3.phar to /tmp/x6/tools/phan

Works fine for me? What am I doing "wrong"?

[theseer]

I'm of course using an interactive terminal here. Maybe that makes a difference? Even though I cannot see anything in the code that should...

[temp]

Weird. On my shell I can't reproduce it, too. Will evaluate in the ci-environment further, I will keep you informed.

[mobi-market-dev]

Hello,

I am getting this on my Jenkins box - any news on this?

[2KDownloading key CF1A108D0E7AE720
14:44:37  Trying to connect to keys.openpgp.org (37.218.245.50)
14:44:37  Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xCF1A108D0E7AE720
14:44:37  
[2K ╰|>                                       | 0.00 KB / 3.07 KB -   0%
[2K ╰|========================================>| 3.07 KB / 3.07 KB - 100%
[2KSuccessfully downloaded key.
14:44:37  
14:44:37  	Fingerprint: D326 80D5 957D C711 6BE2 9C14 CF1A 108D 0E7A E720
14:44:37  
14:44:37  	Ondrej Mirtes <[email protected]>
14:44:37  
14:44:37  	Created: 2019-12-09
14:44:37  
14:44:37  Import this key? [y|N] [ERROR]   Needs tty to be able to confirm
14:44:37  

However my command is slightly different:

phive --no-progress install --trust-gpg-keys php-cs-fixer phpcpd phpunit phpstan

[mobi-market-dev]

thinking on it this could also be the phive update comamnd running just before that one above..

[theseer]

For security reasons, phive does not support generic / global auto import of keys but only explicitly specified keys. The switch you're using thus requires the key-id: ... --trust-gpg-keys 0x12324123, 0x12341234, .....

Since phive keeps everything in its private keyring, you have to do this externally - for instance by importing the key into the gpg keyring (stored by default in ~/.phive/gpg).

[mobi-market-dev]

Ok, thats what i had previously:

phive --no-progress install --trust-gpg-keys E82B2FB314E9906E,4AA394086372C20A,4AA394086372C20A,31C7E470E2138192,8AC0BAA79732DD42,2A8299CE842DD38C,4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A

which was throwing out

14:02:52  Linking /var/lib/jenkins/.phive/phars/php-cs-fixer-2.16.4.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/php-cs-fixer
14:02:52  [ERROR]   No matching release found!

what is the best way to automate the installation of phars on build servers?

sorry for the digression, not had any troubles with this until today..

[theseer]

theseer@nyda /tmp/xx $ phive --home ./test --no-progress install --trust-gpg-keys E82B2FB314E9906E,4AA394086372C20A,4AA394086372C20A,31C7E470E2138192,8AC0BAA79732DD42,2A8299CE842DD38C,4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A php-cs-fixer phpcpd phpunit phpstan
Phive 0.14.5-4-gae93543-dirty - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
Fetching repository list
Downloading https://phar.io/data/repositories.xml
Downloading https://api.github.com/repos/FriendsOfPHP/PHP-CS-Fixer/releases
Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.18.2/php-cs-fixer.phar
Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.18.2/php-cs-fixer.phar.asc
Downloading key E82B2FB314E9906E
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xE82B2FB314E9906E
Successfully downloaded key.
[WARNING]  Parsing key data failed with error code 0: No UIDs in key found 
Trying to connect to keyserver.ubuntu.com (162.213.33.9)
Successfully downloaded key.

	Fingerprint: BBAB 5DF0 A0D6 6729 89CF 1869 E82B 2FB3 14E9 906E

	Dariusz Ruminski <[email protected]>

	Created: 2015-01-17

Linking ./test/phars/php-cs-fixer-2.18.2.phar to /tmp/xx/tools/php-cs-fixer
Downloading https://phar.phpunit.de/phive.xml
Downloading https://phar.phpunit.de/phpcpd-6.0.3.phar
Downloading https://phar.phpunit.de/phpcpd-6.0.3.phar.asc
Downloading key 4AA394086372C20A
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x4AA394086372C20A
Successfully downloaded key.

	Fingerprint: D840 6D0D 8294 7747 2937 7831 4AA3 9408 6372 C20A

	Sebastian Bergmann <[email protected]>
	Sebastian Bergmann <[email protected]>
	Sebastian Bergmann <[email protected]>
	Sebastian Bergmann <[email protected]>
	Sebastian Bergmann <[email protected]>

	Created: 2014-07-19

Linking ./test/phars/phpcpd-6.0.3.phar to /tmp/xx/tools/phpcpd
Downloading https://phar.phpunit.de/phpunit-9.5.2.phar
Downloading https://phar.phpunit.de/phpunit-9.5.2.phar.asc
Linking ./test/phars/phpunit-9.5.2.phar to /tmp/xx/tools/phpunit
Downloading https://api.github.com/repos/phpstan/phpstan/releases
Downloading https://github.com/phpstan/phpstan/releases/download/0.12.76/phpstan.phar
Downloading https://github.com/phpstan/phpstan/releases/download/0.12.76/phpstan.phar.asc
Downloading key CF1A108D0E7AE720
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0xCF1A108D0E7AE720
Successfully downloaded key.

	Fingerprint: D326 80D5 957D C711 6BE2 9C14 CF1A 108D 0E7A E720

	Ondrej Mirtes <[email protected]>

	Created: 2019-12-09

Linking ./test/phars/phpstan-0.12.76.phar to /tmp/xx/tools/phpstan

theseer@nyda /tmp/xx $ ll
total 0
drwxr-xr-x. 6 theseer theseer 160 15. Feb 17:16 test
drwxr-xr-x. 2 theseer theseer 120 15. Feb 17:16 tools
theseer@nyda /tmp/xx $ ll tools
total 0
lrwxrwxrwx. 1 theseer theseer 36 15. Feb 17:16 phpcpd -> /tmp/xx/test/phars/phpcpd-6.0.3.phar
lrwxrwxrwx. 1 theseer theseer 43 15. Feb 17:16 php-cs-fixer -> /tmp/xx/test/phars/php-cs-fixer-2.18.2.phar
lrwxrwxrwx. 1 theseer theseer 39 15. Feb 17:16 phpstan -> /tmp/xx/test/phars/phpstan-0.12.76.phar
lrwxrwxrwx. 1 theseer theseer 37 15. Feb 17:16 phpunit -> /tmp/xx/test/phars/phpunit-9.5.2.phar

Works for me?

[mobi-market-dev]

just manually ran this directly on our jenkins CLI:

phive --no-progress install --trust-gpg-keys E82B2FB314E9906E,4AA394086372C20A,4AA394086372C20A,31C7E470E2138192,8AC0BAA79732DD42,2A8299CE842DD38C,4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A[sudo] password for scott:
Phive 0.14.5 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
Linking /root/.phive/phars/phpcpd-6.0.2.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/phpcpd
Linking /root/.phive/phars/phpunit-9.3.8.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/phpunit
Linking /root/.phive/phars/php-cs-fixer-2.16.4.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/php-cs-fixer
[ERROR]    No matching release found!

[theseer]

That tries to install things from phive.xml / ./phive/phars.xml, respectively.

Can you paste that info?

[mobi-market-dev]

hmm it looks to me that the issue here is that php cs fixer needs updating form 2.16.4 to 2.18.2

running the install command causes the above error however manually running the update command then the install command via cli results in success.

Via the automated build script though it is asking for key import auth:
commands:

phive update
phive --no-progress install --trust-gpg-keys E82B2FB314E9906E,4AA394086372C20A,4AA394086372C20A,31C7E470E2138192,8AC0BAA79732DD42,2A8299CE842DD38C,4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A

Output:

16:24:13  
16:24:13  	Fingerprint: D326 80D5 957D C711 6BE2 9C14 CF1A 108D 0E7A E720
16:24:13  
16:24:13  	Ondrej Mirtes <[email protected]>
16:24:13  
16:24:13  	Created: 2019-12-09
16:24:13  
16:24:13  Import this key? [y|N] [ERROR]   Needs tty to be able to confirm

is there not a way to auto update and install without interaction?

phars.xml:

<?xml version="1.0" encoding="UTF-8"?>
<phive xmlns="https://phar.io/phive">
  <phar name="phpcpd" version="^6.0.2" installed="6.0.3" location="./tools/phpcpd" copy="false"/>
  <phar name="phpunit" version="^9.3.8" installed="9.5.2" location="./tools/phpunit" copy="false"/>
  <phar name="php-cs-fixer" version="^2.16.4" installed="2.18.2" location="./tools/php-cs-fixer" copy="false"/>
  <phar name="phpstan" version="^0.12.42" installed="0.12.42" location="./tools/phpstan" copy="false"/>
  <phar name="phploc" version="^7.0.1" installed="7.0.1" location="./tools/phploc" copy="false"/>
  <phar name="phpdox" version="^0.12.0" installed="0.12.0" location="./tools/phpdox" copy="false"/>
</phive>

[theseer]

I'm not sure why you are running phive update, followed by phive install:

phive update is expected to install newer versions of already known tools - as has been previously recorded in .phive/phars.xml.

Running phive install (without explicit tools specified) is supposed to reinstall the exact set as it is recorded in .phive/phars.xml.

It is expected behavior for phive to not be happy if a GPG key changes between versions when update is used. We currently do not support specifiying trusted keys for this command. As the intended workflow so far was to use install only in CI and, if needed, run update only on the workstation / dev system followed by a commit of the updated phars.xml - which then would make the CI use those versions.

[theseer]

Regarding the "no matching release found": Your paste is missing a crutial line ;) in the output:

theseer@nyda /tmp/xx $ phive --home ./test --no-progress install --trust-gpg-keys E82B2FB314E9906E,4AA394086372C20A,4AA394086372C20A,31C7E470E2138192,8AC0BAA79732DD42,2A8299CE842DD38C,4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A
Phive 0.14.5-4-gae93543-dirty - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
Linking ./test/phars/phpcpd-6.0.3.phar to /tmp/xx/tools/phpcpd
Linking ./test/phars/phpunit-9.5.2.phar to /tmp/xx/tools/phpunit
Linking ./test/phars/php-cs-fixer-2.18.2.phar to /tmp/xx/tools/php-cs-fixer
Downloading https://api.github.com/repos/phpstan/phpstan/releases
[ERROR]    No matching release found! 

The release of phpstan requested is not found. That's likely because it's quite old and we currently do not have paging support in the github api call (see #274 )

[mobi-market-dev]

right I get it. For some reason my CLI output doesn't capture the downloading of phpstan prior to the no release found - makes sense.

I need to capture the phars.xml and commit it into the repo and install the phars designated from there using phive install after trusting them on the server.

makes sense - completely missed that..

[mobi-market-dev]

Hello again..

Apologies for the long post. I still cannot get this to work and cannot get my builds working due to something around this issue. Below I have documented what I have done. I am 90% sure it is me doing something idiotic or miss understanding something...

I appreciate any help anyone can give me as phive is the solution to other issues I have been having with composer and dependencies..

I have added phive.xml to my repo and on the server (as jenkins user)
I deleted the ~/.phive directory and manually added all the phars I require via:

phive install phpstan php-cs-fixer phpunit phpDocumentor phpcpd phploc

I accepted all key imports.

I then got the following error when trying to run phive

jenkins@dev:~$ phive
[ERROR]    Phive is not ready to run due to the following failed migration(s):
[ERROR]
[ERROR]              Rename internal storage file from `phars.xml` to `registry.xml`.
[ERROR]

Checking the ~/.phive directory i can see there is a phars.xml and a registry.xml both contain different content (phars.xml looks like my phive.xml and the registry.xml has a lot more information, urls etc) - I deleted the ~/.phive/phars.xml

phive now runs as expected.

Then in my build script i now only do phive install and have the following phive.xml in my repo

<?xml version="1.0" encoding="UTF-8"?>
<phive xmlns="https://phar.io/phive">
    <phar name="phpcpd" version="^6.0.3" installed="6.0.3" location="./tools/phpcpd" copy="false"/>
    <phar name="phpunit" version="^9.5.2" installed="9.5.2" location="./tools/phpunit" copy="false"/>
    <phar name="php-cs-fixer" version="^2.18.2" installed="2.18.2" location="./tools/php-cs-fixer" copy="false"/>
    <phar name="phpstan" version="^0.14.5" installed="0.14.5" location="./tools/phpstan" copy="false"/>
    <phar name="phploc" version="^7.0.1" installed="7.0.1" location="./tools/phploc" copy="false"/>
    <phar name="phpdox" version="^0.12.0" installed="0.12.0" location="./tools/phpdox" copy="false"/>
</phive>

I am now getting (taken directly from jenkins log..)

10:38:28  Phive 0.14.5 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
10:38:28  [WARNING] Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
10:38:28  [WARNING] Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
10:38:28  [WARNING] Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
10:38:29  Downloading https://phar.phpunit.de/phpcpd-6.0.2.phar
10:38:29  Downloading https://phar.phpunit.de/phpcpd-6.0.2.phar.asc
10:38:29  Linking /var/lib/jenkins/.phive/phars/phpcpd-6.0.2.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/phpcpd
10:38:29  Downloading https://phar.phpunit.de/phpunit-9.3.8.phar
10:38:30  Downloading https://phar.phpunit.de/phpunit-9.3.8.phar.asc
10:38:31  Linking /var/lib/jenkins/.phive/phars/phpunit-9.3.8.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/phpunit
10:38:31  Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.16.4/php-cs-fixer.phar
10:38:32  Downloading https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v2.16.4/php-cs-fixer.phar.asc
10:38:32  Linking /var/lib/jenkins/.phive/phars/php-cs-fixer-2.16.4.phar to /var/lib/jenkins/workspace/MobiMarket_trade_master/tools/php-cs-fixer
10:38:33  [ERROR]   No matching release found!

I have tried removing the ~/.phive folder, the build servers workspace .phive folder and various other things but still cannot get the phars installed.

However when manually running the phive install via the jenkins user directly on the box, it seems to work with no issues (bar the warning):

jenkins@server:~/workspace/$ phive install
Phive 0.14.5 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
[WARNING]  Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
[WARNING]  Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
[WARNING]  Both .phive/phars.xml and phive.xml shouldn't be defined at the same time. Please prefer using .phive/phars.xml
Linking /jenkins/.phive/phars/phpcpd-6.0.3.phar to /workspace/tools/phpcpd
Linking /jenkins/.phive/phars/phpunit-9.5.2.phar to /workspace/tools/phpunit
Linking /jenkins/.phive/phars/php-cs-fixer-2.18.2.phar to /workspace/tools/php-cs-fixer
Linking /jenkins/.phive/phars/phpstan-0.12.76.phar to /workspace/tools/phpstan
Linking /jenkins/.phive/phars/phploc-7.0.2.phar to /workspace/tools/phploc
Linking /jenkins/.phive/phars/phpdox-0.12.0.phar to /workspace/tools/phpdox

I have also tried to phive purge and phive update

[theseer]

Okay, I'm not sure how you ended up in this and whether or not it is still an issue. But I'll try to explain some things ;-)

Firstly, phive keeps a local log of the originally requested and then installed versions in .phive/phars.xml relative to the current work directory. The file (and directory) is created on an initial run of phive when no phive.xml is found in the current work directory.

While phive.xml was the original location and is mainly kept for compatibility, this way, we can also allow projects to have the general config in the root directory, as many projects prefer, but also support a more cleaned up "private" directory .phive where this and additional files can be kept without cluttering the root directory.

Having both is a problem and thus the warning you saw is shown. It should only happen if you manually install something without a phive.xml being present and then, later - for instance via git pull -, get a phive.xml anyhow via that update.

Having a phive.xml (or .phive/phars.xml - not both ;)) in your repository is of course fine and required for phive to be of use in CI.

Where ever phive is run, it will maintain its own state in .phive in the home directory of the current user (unless overwritten with --home). As you might see, if the current work directory and home directory are identical, this will cause a clash of directory names and is a design flaw we didn't think of while changing the old behavior (see #289) - a fix is discussed in #290.

Any keys accepted when installing are imported into a phive private gpg keyring stored in ~/.phive/gpg. That store is not being commited to version control as it is system local only.

Key handling in general has two conflicting requirements: While I do not want others to make the decision whether I do trust a signature and have a key auto-imported without my confirmation on my system, I very much do want to automate the decision in CI. To address this, we opted for adding a list of trusted keys to the CLI. I'm currently considering to add the key id to the phive.xml / .phive/phars.xml, so to avoid having to specify all of them all the time and add a switch to tell phive to trust the IDs specified. But for the time being, the key list has to be passed along in CI.

The alternative is to manually import all the required public keys to phive's keyring in ~/.phive/gpg be for running it. That way, phive would be happy to use and trust them.

So, to sum things up, this is how it should work, assuming you delete phive.xml as well as .phive from your project to basically start from scratch. The following steps are to be run on your machine:

1. phive install tool-a tool-b [email protected]
2. `git add .phive && git commit -m "add tools"
3. add phive install --trust-gpg-keys 0x12-key-of-tool-a,0x34-key-b,... to your build automation configuration
4. git add {build-automation-config} && git commit -m "add phive to build" && git push

There is no need to run any other phive command on CI.

[temp]

I am also still experiencing problems with automatic key import under some circumstances - mainly when a phar author has changed his gpg key, und I call update in a CI environment.
Although I provide the --trust-gpg-keys XXX flag, phive asks for interactive confirmation. Which of course breaks in a CI environment.

[mobi-market-dev]

Hi,

Thanks for the detailed response - I feel like its all coming together now.

• I have removed the ./.phive dir and the phive.xml file from the repo.

• I have, locally, phive install phpcpd phpunit phpstan phpDocumentor php-cs-fixer and accepted all keys

• phive status
  

• Committed the repo and pushed all changes.

• On build server removed ~/.phive

• In my build scripts repo added phive install --trust-gpg-keys 4AA394086372C20A CF1A108D0E7AE720 4AA394086372C20A 6DA3ACC4991FFAE5 E82B2FB314E9906E, committed and pushed the changes.

Now when running the build on the build server, or just the phive install command above I get the following error

$ phive install --trust-gpg-keys 4AA394086372C20A CF1A108D0E7AE720 4AA394086372C20A 6DA3ACC4991FFAE5 E82B2FB314E9906E
Phive 0.14.5 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
[ERROR]    Could not resolve requested PHAR cf1a108d0e7ae720

phive status:

is there something I am not clearing out - cache maybe? I double checked the key on openpgp and it is found, it installs and works locally so seems to be a server instance issue only - but short of a complete wipe and reimage I cant see why and the debugging is limited.

[mobi-market-dev]

And in a moment of clarity (and double/triple checking your example) I found the issue.. (Typical after posting the previous comment)..
phive install --trust-gpg-keys 4AA394086372C20A CF1A108D0E7AE720 4AA394086372C20A 6DA3ACC4991FFAE5 E82B2FB314E9906E
should be:
phive install --trust-gpg-keys 4AA394086372C20A,CF1A108D0E7AE720,4AA394086372C20A,6DA3ACC4991FFAE5,E82B2FB314E9906E

note: No spaces between the keys, just a single comma.

Pushed the above changes to build script repo and can confirm all is working as expected.

Whilst this is entirely an issue with me not being able to read - is it worth perhaps removing any whitespace from each key in the list?

Also may it not be prudent to make the list aspects of the comamnd the same across all commands?
eg phive install phpstan phpDocumentor phpunit to be comma separated in the same way the phive install --trust-gpg-keys list is or vice versa?

[theseer]

Whilst this is entirely an issue with me not being able to read - is it worth perhaps removing any whitespace from each key in the list?

Also may it not be prudent to make the list aspects of the comamnd the same across all commands?
eg phive install phpstan phpDocumentor phpunit to be comma separated in the same way the phive install --trust-gpg-keys list is or vice versa?

No, because that'll be ambiguous: Look at phive install --trust-gpg-keys 0x1234 phpunit. The 0x1234 is technically a value for the switch, phpunit is an argument. That would require a completely different approach to parsing CLI parameters - and, to counter the ambiguity, we'd have to apply regex on the arguments to tell key ids and phar names apart.

[theseer]

I guess this issue can be closed. If this was a wrong assumption, please leave a note.