LinuxCommandLibrary

phive

Manage and verify Phar installation files

TLDR

Display a list of available aliased Phars

$ phive list
copy

Install a specified Phar to the local directory
$ phive install [alias|url]
copy

Install a specified Phar globally
$ phive install [alias|url] [[-g|--global]]
copy

Install a specified Phar to a target directory
$ phive install [alias|url] [[-t|--target]] [path/to/directory]
copy

Update all Phar files to the latest version
$ phive update
copy

Remove a specified Phar file
$ phive remove [alias|url]
copy

Remove unused Phar files
$ phive purge
copy

List all available commands
$ phive help
copy

SYNOPSIS

phive [options] <command> [arguments]

PARAMETERS

--home <dir>
    Specify the directory where phive stores its data and configuration (defaults to ~/.phive).

--trust-gpg-keys <keyid>[,<keyid>]
    Explicitly trust one or more GPG key IDs for signature verification during installation.

--no-trust-gpg-keys
    Disable GPG key trust for the current operation, allowing unverified installations (use with caution).

--force
    Force the operation, e.g., overwrite existing files or reinstall tools without prompts.

--prefer-unstable
    Allow or prefer unstable versions of tools during installation or update.

--disable-progress-bar
    Do not show the download progress bar.

-v, --verbose
    Increase verbosity of output messages. Can be used multiple times for more detail.

-q, --quiet
    Suppress most output messages, showing only essential information or errors.

--version
    Display the phive version information and exit.

--help
    Display help for phive or a specific command.

<command>
    The specific operation to perform, such as install, update, remove, list, version, or help.

[arguments]
    Additional arguments specific to the chosen command, e.g., tool names for install or remove.

DESCRIPTION

phive is a dependency manager specifically designed for PHP tools distributed as
PHAR (PHP Archive) files. Unlike Composer, which manages PHP libraries,
phive focuses on developer tools such as PHPUnit, php-cs-fixer,
PHPMD, and others. It ensures the integrity and authenticity of installed
tools by leveraging
GnuPG for signature verification, making it a secure choice for managing
third-party PHP executables.

It automatically downloads, verifies, and installs specified PHARs, either
locally within a project or globally on the system. It also provides mechanisms
for updating, removing, and listing installed tools, streamlining the
workflow for PHP development environments.

CAVEATS

phive is not a standard Linux command and requires a PHP installation to run.
It is typically installed via Composer or by downloading its PHAR directly.
Its security features rely heavily on
GnuPG, meaning that a working GPG setup and potentially manual key
importing are necessary for full integrity verification.
Mismanagement of GPG keys or allowing unverified installations can pose a
significant security risk.

GPG KEY MANAGEMENT

phive relies on
GnuPG to verify the authenticity of PHAR files. When you install a tool for
the first time, phive attempts to download and verify the author's
GPG key. You might be prompted to confirm trusting a key. Keys are stored in
the phive home directory (typically ~/.phive/gpg-keys).
It's crucial to ensure you only trust keys from legitimate sources to prevent
supply chain attacks, and regularly audit trusted keys.

PHIVE.XML CONFIGURATION

For project-specific tool management, phive uses a
phive.xml file (similar to Composer's composer.json).
This XML file defines which tools are required for the project, their versions,
and optionally their target installation paths.
Running phive install in a project directory with a phive.xml
will install all defined tools, ensuring consistent development environments
across team members and CI/CD pipelines. This file can be version-controlled.

HISTORY

phive emerged to address the challenges of managing PHP development tools that are
distributed as PHAR files. Before phive, developers often downloaded these
tools manually, which made updating difficult and lacked integrity
verification. The project focused on providing a secure, automated, and
reproducible way to install and manage these tools. Its emphasis on
GPG-based signature verification was a key differentiator, enhancing the
security posture for PHP projects that rely on external tools. It has become a
de-facto standard in many PHP development workflows for its specific niche.

SEE ALSO

composer(1), php(1), gpg(1), wget(1), curl(1)

Copied to clipboard