phpboyscout.uk

Public keys

The OpenPGP keys used to sign PHP Boy Scout software releases. They're published over Web Key Directory (WKD), so your tools can find and trust them without you hunting down a keyserver.

Fetch a key

WKD resolves straight from the email address — no fingerprint to copy by hand:

gpg --locate-keys release@phpboyscout.uk

Then verify a signed release the usual way:

gpg --verify mytool_1.2.3_checksums.txt.asc mytool_1.2.3_checksums.txt

The keys

PHP Boy Scout Release

release@phpboyscout.uk · the primary release-signing identity

Ed25519 · created 2026-06-08

2B26 6584 0904 7ED0 8B56  CEBD CF5B 8DBB 5D9F 19C2

RSA-4096 · created 2026-06-08

6E20 72BB F83D FAAF 0063  00C4 95DD AC33 3C37 AA35

ffmpeg-wasi Release Signing

ffmpeg-wasi-release@phpboyscout.uk · the per-project key for ffmpeg-wasi builds

RSA-4096 · created 2026-06-30

7108 81C1 DDAE ABD1 38E5  3004 A216 6E59 EB60 60E1
gpg --locate-keys ffmpeg-wasi-release@phpboyscout.uk

How to trust these

Don't take this page's word for it. The point of WKD is that the key travels with the domain, and a second, independent copy is cross-checked so a single compromised account can't quietly swap it. The reasoning is written up on the blog: Publish your key where they can't touch it and A signature the platform can't forge.