Handle GitHub releases with multiple signatures

phar-io · Feb 2, 2024 · 1cfd8a8 · 1cfd8a8
1 parent 951f615
commit 1cfd8a8
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/shared/repository/GithubRepository.php b/src/shared/repository/GithubRepository.php
@@ -36,7 +36,7 @@ public function getReleasesByRequestedPhar(RequestedPhar $requestedPhar): Releas
                 continue;
             }
             $pharUrl      = null;
-            $signatureUrl = null;
+            $signatureUrl = [];
 
             foreach ($entry['assets'] as $asset) {
                 $url = $asset['browser_download_url'];
@@ -48,7 +48,7 @@ public function getReleasesByRequestedPhar(RequestedPhar $requestedPhar): Releas
                 }
 
                 if (in_array(substr($url, -4, 4), ['.asc', '.sig'], true)) {
-                    $signatureUrl = new Url($url);
+                    $signatureUrl[$url] = new Url($url);
                 }
             }
 
@@ -61,6 +61,12 @@ public function getReleasesByRequestedPhar(RequestedPhar $requestedPhar): Releas
                 continue;
             }
 
+            // if the release has multiple signatures, use the one that's closest to the
+            // name of the phar, e.g. doctum.phar.asc instead of doctum.phar.sha256.asc
+            $signatureUrl = $signatureUrl[$pharUrl . '.asc']
+                ?? $signatureUrl[$pharUrl . '.sig']
+                ?? array_shift($signatureUrl);
+
             // we do have a phar but no signature, could potentially be used
             if (!$signatureUrl instanceof Url) {
                 $releases->add(