Generate the signed update manifest

signmanifest.php

<?php
/**
 * @package    Joomla.Cli
 *
 * @copyright  Copyright (C) 2005 - 2018 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

/**
 * This is a CLI script to generate the signed update manifest which should be called from the command-line, not the
 * web. For example something like:
 * /usr/bin/php /path/to/site/cli/signmanifest.php
 */

// Initialize Joomla framework
const _JEXEC = 1;

// Load system defines
if (file_exists(dirname(__DIR__) . '/defines.php'))
{
	require_once dirname(__DIR__) . '/defines.php';
}

if (!defined('_JDEFINES'))
{
	define('JPATH_BASE', dirname(__DIR__));
	require_once JPATH_BASE . '/includes/defines.php';
}

// Get the framework.
require_once JPATH_LIBRARIES . '/import.legacy.php';

// Bootstrap the CMS libraries.
require_once JPATH_LIBRARIES . '/cms.php';

/**
 * Generate signed update manifest.
 *
 * @since  __DEPLOY_VERSION__
 */
class signmanifest extends JApplicationCli
{
	/**
	 * Entry point for the script
	 *
	 * @return  void
	 *
	 * @since   __DEPLOY_VERSION__
	 */
	public function doExecute()
	{

		// Get the extension developer public key or change this to your own keypairs
		$dev_sk='c8ae09b5743ca7acdbc18907dca5803bc0e20b0cc9005833bc14642bbd4cf6d56c46e9505ba78f9fb113b34dace5c095f69d1f693d5a087272cf6d470e5e15c9';
		$dev_pk='6c46e9505ba78f9fb113b34dace5c095f69d1f693d5a087272cf6d470e5e15c9';
		echo 'DeveloperSecretKey:' . $dev_sk, PHP_EOL;
		echo '---', PHP_EOL;
		echo 'DeveloperPublicKey:' . $dev_pk , PHP_EOL;
		
		// Get the original extension update manifest
		$manifest = file_get_contents(dirname(__DIR__) . '/cli/testmanifest.xml'); 

		// Create a trimmed copy of the original manifest
		$doc = new DOMDocument;
		$doc->preserveWhiteSpace = false;
		$dom->formatOutput = true;
		$doc->loadxml( $manifest );
		$xml = $doc->savexml();
		$a= file_put_contents(dirname(__DIR__) . '/cli/trimmedmanifest.xml', $xml);

		// Hash the trimmed manifest
		$manifest = file_get_contents(dirname(__DIR__) . '/cli/trimmedmanifest.xml'); 
		$digest   = hash("sha384", $manifest);

		// Sign the digest with the key pairs
		$dev_sk = ParagonIE_Sodium_Compat::hex2bin($dev_sk);
		$dev_pk = ParagonIE_Sodium_Compat::hex2bin($dev_pk);

		$signature = ParagonIE_Sodium_Compat::crypto_sign_detached($digest, $dev_sk); 
		// Verify the signature 
		if (ParagonIE_Sodium_Compat::crypto_sign_verify_detached($signature, $digest, $dev_pk)) 
		{ 
 		    echo 'OK', PHP_EOL; 
 		} else { 
 		   throw new Exception('Invalid signature'); 
 		} 
		// add the signature to the original manifest
		// get the original manifest
		$manifest = file_get_contents(dirname(__DIR__) . '/cli/testmanifest.xml'); 
		// add the signed hash to the public manifest
		$xmldoc = new DOMDocument;
		$xmldoc->preserveWhiteSpace = true;
		$xmldoc->loadxml($manifest);
		// Create the new tag
		$newNode = $xmldoc->createElement('signature');
		$newValue = $xmldoc->createTextNode(bin2hex($signature));
        	$newNode->appendChild($newValue);
		$xmldoc->getElementsByTagName("updates")[0]->appendChild($newNode);
        	// Save the signed manfifest
		$xml = $xmldoc->savexml(); 
        	$a= file_put_contents(dirname(__DIR__) . '/cli/signedmanifest.xml', $xml);
		
		echo 'Signature:' . bin2hex($signature), PHP_EOL; 
	}
}

JApplicationCli::getInstance('signmanifest')->execute();

change $dev_pk,$dev_sk with your keypairs