The PHAR Installation and Verification Environment (PHIVE)

Installation and verification of phar distributed PHP applications has never been this easy!

Adding all the required tools like PHPUnit, PHPMD and phpDox in their matching versions to a project used to be a lot of repetitive work: Started by finding the download URL, figuring out what the actually correct and matching version is followed by verifying the SHA1 and GPG signatures and making the archive executable. And of course you’d have to repeat this very thing for every tool needed.

Alternatively, you could have used composer. Only to clutter your project’s dependencies with the ones of your tools. And fight their potential dependency conflicts.

No more! Now you can rely on PHIVE to install and manage your project’s tooling needs without all the hassle and without cluttered dependencies!

Logo PHIVE

Installation

Installation of PHIVE is easy and about the last time you have to do anything PHAR related manually.

Grab your copy of PHIVE from the releases section or run these simple steps in a terminal:

wget -O phive.phar https://phar.io/releases/phive.phar
wget -O phive.phar.asc https://phar.io/releases/phive.phar.asc
gpg --keyserver hkps://keys.openpgp.org --recv-keys 0x9D8A98B29B2D5D79
gpg --verify phive.phar.asc phive.phar
chmod +x phive.phar
sudo mv phive.phar /usr/local/bin/phive
Please note: Importing a gpg public key as shown above does not automatically make it a trusted key.
You are likely to receive a warning from GPG when using it: The key's User ID is not certified with a trusted signature!
As a means to verify the correct key is in use, GPG will print the key fingerprint.
If in doubt, please compare it with our published key fingerprint in the footer of this website.

It's okay to either ignore that warning - given all we care about is ensuring the phar archive has been signed by that very key - or, after inspection,
manually change the trust level to ultimate, for instance via gpg --edit team@phar.io trust or sign the key with your own: gpg --edit team@phar.io sign.

Usage

Once installed, PHIVE is ready for action. Some example invocations are shown below:

# Install using phar.io registered alias phive install phpunit # Install using github <name>/<repository> phive install theseer/Autoload # Ignore security implications and install unsigned phar via github <name>/<repository> phive install --force-accept-unsigned vendor/unsigned-project # Install using a fixed url phive install https://phar.phpunit.de/phpunit-7.3.5.phar # When used in CI environments - specify trusted keys and suppress progress output phive --no-progress install --trust-gpg-keys 4AA394086372C20A,2A8299CE842DD38C phpab phpunit # Create a copy of the phar rather than using a symlink phive install --copy phpdox # Install a phar with a specified version constraint phive install psalm@^4.1.1 # Use ./build/tools directory rather than default ./tools as symlink target folder phive install --target ./build/tools phpdox # Install all phar files declared in phive.xml phive install
PHIVE is still under heavy development. Please report any issues you find!

Supported Tools

Many famous PHP tools can already be installed via PhiVE. Among them the following well known projects:

Yours missing? Let us know!

Contributing

PHIVE and PHAR.IO are open source projects released under the BSD license. You are welcome to join the development team!

Fork us!