phive
Manage and verify Phar installation files
TLDR
Display a list of available aliased Phars
Install a specified Phar to the local directory
Install a specified Phar globally
Install a specified Phar to a target directory
Update all Phar files to the latest version
Remove a specified Phar file
Remove unused Phar files
List all available commands
SYNOPSIS
phive [options] <command> [arguments]
PARAMETERS
--home <dir>
Specify the directory where phive stores its data and configuration (defaults to ~/.phive).
--trust-gpg-keys <keyid>[,<keyid>]
Explicitly trust one or more GPG key IDs for signature verification during installation.
--no-trust-gpg-keys
Disable GPG key trust for the current operation, allowing unverified installations (use with caution).
--force
Force the operation, e.g., overwrite existing files or reinstall tools without prompts.
--prefer-unstable
Allow or prefer unstable versions of tools during installation or update.
--disable-progress-bar
Do not show the download progress bar.
-v, --verbose
Increase verbosity of output messages. Can be used multiple times for more detail.
-q, --quiet
Suppress most output messages, showing only essential information or errors.
--version
Display the phive version information and exit.
--help
Display help for phive or a specific command.
<command>
The specific operation to perform, such as install, update, remove, list, version, or help.
[arguments]
Additional arguments specific to the chosen command, e.g., tool names for install or remove.
DESCRIPTION
phive is a dependency manager specifically designed for PHP tools distributed as
PHAR (PHP Archive) files. Unlike Composer, which manages PHP libraries,
phive focuses on developer tools such as PHPUnit, php-cs-fixer,
PHPMD, and others. It ensures the integrity and authenticity of installed
tools by leveraging
GnuPG for signature verification, making it a secure choice for managing
third-party PHP executables.
It automatically downloads, verifies, and installs specified PHARs, either
locally within a project or globally on the system. It also provides mechanisms
for updating, removing, and listing installed tools, streamlining the
workflow for PHP development environments.
CAVEATS
phive is not a standard Linux command and requires a PHP installation to run.
It is typically installed via Composer or by downloading its PHAR directly.
Its security features rely heavily on
GnuPG, meaning that a working GPG setup and potentially manual key
importing are necessary for full integrity verification.
Mismanagement of GPG keys or allowing unverified installations can pose a
significant security risk.
GPG KEY MANAGEMENT
phive relies on
GnuPG to verify the authenticity of PHAR files. When you install a tool for
the first time, phive attempts to download and verify the author's
GPG key. You might be prompted to confirm trusting a key. Keys are stored in
the phive home directory (typically ~/.phive/gpg-keys).
It's crucial to ensure you only trust keys from legitimate sources to prevent
supply chain attacks, and regularly audit trusted keys.
PHIVE.XML CONFIGURATION
For project-specific tool management, phive uses a
phive.xml file (similar to Composer's composer.json).
This XML file defines which tools are required for the project, their versions,
and optionally their target installation paths.
Running phive install in a project directory with a phive.xml
will install all defined tools, ensuring consistent development environments
across team members and CI/CD pipelines. This file can be version-controlled.
HISTORY
phive emerged to address the challenges of managing PHP development tools that are
distributed as PHAR files. Before phive, developers often downloaded these
tools manually, which made updating difficult and lacked integrity
verification. The project focused on providing a secure, automated, and
reproducible way to install and manage these tools. Its emphasis on
GPG-based signature verification was a key differentiator, enhancing the
security posture for PHP projects that rely on external tools. It has become a
de-facto standard in many PHP development workflows for its specific niche.