Please update the "Installing" Documentation to include how users can cryptographically verity the authenticity and integrity of the release after they've downloaded it and before they install it.

Expected behaviour

When I go to download wp-cli, I should also see instructions on how to verify the authenticity & integrity of the file after download and before install. Or, at least, a link to the document that describes this.

Actual behaviour

I see no mention about cryptographic authenticity verification using PGP on the "Installing" documentation

• https://make.wordpress.org/cli/handbook/guides/installing/
• https://github.com/wp-cli/wp-cli/blob/10b0b16e1803febc12e33a23c8ac8c31b184ff1e/README.md

If there's any other documents that also describe how to install wp-cli, please add them to this ticket and update them as well.

Steps to reproduce

1. Go to https://make.wordpress.org/cli/handbook/guides/installing/
2. ???
3. Get confused and open ticket

Actually, I did some digging and checked the latest "Release" of wp-cli on GitHub. I was very pleasantly surprised to see a detached signature file wp-cli-2.6.0.phar.asc (and also a bit confused to also see some file named wp-cli-2.6.0.phar.gpg)

• https://github.com/wp-cli/wp-cli/releases/tag/v2.6.0

Then I stumbled on this ticket from 2016 that resulted in all releases getting cryptographically signed. That's great!

• Add gpg, sha512 and md5 to releases page wp-cli#2919

Unfortunately, probably few people know that they can check the authenticity of their wp-cli releases because it's not documented anywhere :(

Also, as an aside, it's kinda odd that you have md5 & sha256 checksum files stored, unsigned, next to the release. Usually the way this is done (at least in Debian) is to create a SHA256SUMS file containing all the sha256 hashes of all the files in the release, and then sign that with gpg. Then you get very scalable/efficient authenticity and integrity checks.

• https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/

Solution

1. In exactly one place, wp-cli should document the commands needed to verify the authenticity and integrity of their releases after downloading them from the Internet and before installing them on the system.
2. In all the existing places where the installation of wp-cli is documented, a section should be added titled Cryptographic Verification of Release that links-to the above document