Downloads

Upgrading to the latest version not only replaces old code and gets the latest solutions; if you do n’t update, these versions are sometimes outdated and may lack the latest features. Also, the configuration process varies from package to package and may not follow official documentation. Having said that, staying updated is the fastest and easiest way.

PHP Multilingual Framework v26 Latest Version

Released 2026-01-26

Verifying releases

Starting with the v26 version number, all distributions are cryptographically signed by the released developer, who is a 'https://fengyi.tel Security Team', Key-ID:

0FEB F674 EAD2 3E05

PGP fingerprint:

DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05

You should verify that the signature matches the file you downloaded. This way, you can be sure that the code used is the same as the one posted. You should also verify the date of the signature to ensure that you downloaded the latest version.

Every file comes with .asc There are files containing PGP signatures. After putting them in the same folder, you can verify the signature:

$ gpg --verify php-mul-latest-master.zip.asc

gpg: Can't check signature: public key not found

As you can see, gpg prompts that it does not know the public key. At this point, you should perform one of the following steps:

1. Download from official Latest public key and import the key:

https://fengyi.tel/yi.asc

Download online and import directly

$ wget --no-check-certificate https://fengyi.tel/yi.asc && gpg --import yi.asc
$ curl https://fengyi.tel/yi.asc | gpg --import

# Or use the command line to import the keys after manual download
$ gpg --import yi.asc

2. Download and import keys from one of the key servers:

$ gpg --keyserver keys.gnupg.net --recv-keys DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05

Gpg prompts after importing keys: no ultimately trusted keys found

gpg: no ultimately trusted keys found

To improve this situation, you can verify that the signature of the specified key is correct, but you still cannot trust the name used in the key:

$ gpg --verify php-mul-latest-master.zip.asc

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner." [full]

The problem here is that anyone can use that name to publish the key. You need to ensure that the key is actually owned by the person mentioned. The GNU Privacy Manual is in the "Verify other keys on the public key ring" Covers this topic. The most reliable way is to meet with the developers in person and exchange key fingerprints, but you can also rely on a network of trust. This way, you can do so by signing from someone else who has encountered the developer in person Pass the trusted key.

Once the key is trusted, no warning occurs:

$ gpg --verify php-mul-latest-master.zip.asc

gpg: Good signature from "https://fengyi.tel Security Team <security@https://fengyi.tel>" [full]

If the signature is invalid (the archive has changed), you get a clear error whether the key is trusted or not:

$ gpg --verify php-mul-latest-master.zip.asc

gpg: BAD signature from "https://fengyi.tel Security Team <security@https://fengyi.tel>" [full]

After that, you can delete the public key:

$ gpg --delete-key DBBC8D7BB64C4648A70AEA180FEBF674EAD23E05