Recommendation for projects to document the signing key

[lucc]

The docs contain several how-tos about gpg and signatures and such. I suggest to add one more page or paragraph to explain the following argument:

1. package developers who publish a phar should sign the phar so that the integrity and origin can be validated
2. they should also document the key they used for this as a king of "trust anchor" somewhere in their website/docs

I have recently proposed this to several projects

• https://github.com/PHPCSStandards/PHP_CodeSniffer/issues/157 and https://github.com/PHPCSStandards/PHP_CodeSniffer/pull/158
• https://github.com/composer-unused/composer-unused/discussions/601
• https://github.com/phpmd/phpmd/issues/1030#issuecomment-1742685581

It seems to me that some people are not aware of the benefit of a "trust anchor" in the form of a clearly documented key ID that is used to sign the phars. This is especially important if downstream consumers want to install tools in CI or some non interactive build environment where we want to use --trust-gpg-keys so we want to know the key id up front.

[theseer]

Very valid point.

I'll try to add documentation - and maybe revamp the full website in a not too distant future :)