phive install does not silently import keys

[oliverklee]

PHIVE does not silently import keys with phive install (at least not in this case), which breaks phive install in non-interactive environments like CI builds.

Steps to reproduce

rm -rf ~/.phive/
git clone git@github.com:sabberworm/PHP-CSS-Parser.git
cd PHP-CSS-Parser
phive install --trust-gpg-keys A972B9ABB95D0B760B51442231C7E470E2138192,A972B9ABB95D0B760B51442231C7E470E2138192

Expected results

At least the GPG keys A972B9ABB95D0B760B51442231C7E470E2138192 and A972B9ABB95D0B760B51442231C7E470E2138192 are silently retrieved and trusted.

Actual results

PHIVE still asks whether the second key should be imported:

Phive 0.14.5 - Copyright (C) 2015-2021 by Arne Blankerts, Sebastian Heuer and Contributors
Downloading https://squizlabs.github.io/PHP_CodeSniffer/phars/phpcbf-3.6.0.phar
Downloading https://squizlabs.github.io/PHP_CodeSniffer/phars/phpcbf-3.6.0.phar.asc
Downloading key 31C7E470E2138192
Trying to connect to keys.openpgp.org (37.218.245.50)
Downloading https://keys.openpgp.org/pks/lookup?op=get&options=mr&search=0x31C7E470E2138192
Successfully downloaded key.

        Fingerprint: A972 B9AB B95D 0B76 0B51 4422 31C7 E470 E213 8192

        Greg Sherwood <gsherwood@squiz.net>

        Created: 2017-11-29

Import this key? [y|N]

[theseer]

I'm not convinced that is a bug.

The signature is made by a key with the ID 31C7E470E2138192, which by itself is not within the list of IDs to trust. What you pass in there in the example showcasing the problem are fingerprints. Which is not the same.

[theseer]

Wie might actually consider implementing that as a new feature: Apart from the key ID we could also check the Fingerprint....

[oliverklee]

@theseer Thanks! ❤️