Doc: mention the signing key for phars

[lucc]

Description

The signing key used for the phars is mentioned in the README. This can serve as a "trust anchor" for consumers.

Suggested changelog entry

Related issues/external references

Fixes #157

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
  • This change is only breaking for integrators, not for external standards or end-users.
• Documentation improvement

PR checklist

• I have checked there is no other PR open for the same change.
• I have read the Contribution Guidelines.
• I grant the project the right to include and distribute the code under the BSD-3-Clause license (and I have the right to grant these rights).
• I have added tests to cover my changes.
• I have verified that the code complies with the projects coding standards.
• [Required for new sniffs] I have added XML documentation for the sniff.

[lucc]

@jrfnl please verify that this is really your key used for signing the phars :)

[jrfnl]

@lucc Thank you for making these changes 🙏🏻 . I have double and triple checked and yes, that is the correct key 😉

[jrfnl]

I'm re-reading @theseer's reply, which now has me wondering if the change to the phive command is correct. It uses the public key fingerprint in this PR, but in Arne's example, the command uses the key ID....

[theseer]

I'm re-reading @theseer's reply, which now has me wondering if the change to the phive command is correct. It uses the public key fingerprint in this PR, but in Arne's example, the command uses the key ID....

No worries. Both are fine. The more common way is to use the key ID but we explicitly also support the full fingerprint.
If you look at it, you'll see that the ID is actually a part of the fingerprint :)

[jrfnl]

@theseer Excellent! Thank you so much for your help and @lucc for preparing this update. Merging now.