Upgrading to the latest version not only replaces old code and gets the latest solutions; if you do n’t update, these versions are sometimes outdated and may lack the latest features. Also, the configuration process varies from package to package and may not follow official documentation. Having said that, staying updated is the fastest and easiest way.
PHP Multilingual Framework v6.5 Latest Version
Released 2020-01-02, see release notes for details.
Verifying Lang-php releases
Starting with the v6.5 version number, all lang-php distributions are cryptographically signed by the released developer, who is a 'Lang-php.com Security Team', Key-ID:
2499 B792 4675 A12B
4F2B AB7B 8FA3 A53E 4DBD 9594 2499 B792 4675 A12B
You should verify that the signature matches the file you downloaded. This way, you can be sure that the code used is the same as the one posted. You should also verify the date of the signature to ensure that you downloaded the latest version.
Every file comes with
.asc There are files containing PGP signatures. After putting them in the same folder, you can verify the signature:
$ gpg --verify lang-php-latest-master.zip.asc gpg: Can't check signature: public key not found
As you can see, gpg prompts that it does not know the public key. At this point, you should perform one of the following steps:
1. Download from official
Latest public key and import the key:
Download online and import directly
$ wget --no-check-certificate https://lang-php.com/lang-php.com.asc && gpg --import lang-php.pgp.asc $ curl https://lang-php.com/lang-php.com.asc | gpg --import # Or use the command line to import the keys after manual download $ gpg --import lang-php.pgp.asc
2. Download and import keys from one of the key servers:
$ gpg --keyserver keys.gnupg.net --recv-keys 4F2BAB7B8FA3A53E4DBD95942499B7924675A12B
Gpg prompts after importing keys: no ultimately trusted keys found
gpg: no ultimately trusted keys found
To improve this situation, you can verify that the signature of the specified key is correct, but you still cannot trust the name used in the key:
$ gpg --verify lang-php-latest-master.zip.asc gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner." [full]
The problem here is that anyone can use that name to publish the key. You need to ensure that the key is actually owned by the person mentioned. The GNU Privacy Manual is in the "Verify other keys on the public key ring" Covers this topic. The most reliable way is to meet with the developers in person and exchange key fingerprints, but you can also rely on a network of trust. This way, you can do so by signing from someone else who has encountered the developer in person Pass the trusted key.
Once the key is trusted, no warning occurs:
$ gpg --verify lang-php-latest-master.zip.asc gpg: Good signature from "Lang-php.com Security Team <email@example.com>> [full]
If the signature is invalid (the archive has changed), you get a clear error whether the key is trusted or not:
$ gpg --verify lang-php-latest-master.zip.asc gpg: BAD signature from "Lang-php.com Security Team <firstname.lastname@example.org>" [full]
After that, you can delete the public key:
$ gpg --delete-key 4F2BAB7B8FA3A53E4DBD95942499B7924675A12B