Recommendation for projects to document the signing key

[lucc]

The docs contain several how-tos about gpg and signatures and such. I suggest to add one more page or paragraph to explain the following argument:

1. package developers who publish a phar should sign the phar so that the integrity and origin can be validated
2. they should also document the key they used for this as a king of "trust anchor" somewhere in their website/docs

I have recently proposed this to several projects

• Document public key used for phar signing PHPCSStandards/PHP_CodeSniffer#157 and Doc: mention the signing key for phars PHPCSStandards/PHP_CodeSniffer#158
• Document the key used to sign the phar composer-unused/composer-unused#601
• Finish signing phar file phpmd/phpmd#1030 (comment)

It seems to me that some people are not aware of the benefit of a "trust anchor" in the form of a clearly documented key ID that is used to sign the phars. This is especially important if downstream consumers want to install tools in CI or some non interactive build environment where we want to use --trust-gpg-keys so we want to know the key id up front.

[theseer]

Very valid point.

I'll try to add documentation - and maybe revamp the full website in a not too distant future :)