diff --git a/.gitignore b/.gitignore
index 33fd704..5e47134 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,4 +9,5 @@ box.phar
 phpunit.phar
 phpunit.phar.asc
 test/unit/File/tmp
+test/.phpunit.result.cache
 .idea
diff --git a/.travis.yml b/.travis.yml
index ffaefc0..e8d1dac 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,30 +5,52 @@ matrix:
   fast_finish: true
   include:
     - php: "5.6"
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "7.0"
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "7.1"
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "7.2"
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "7.3"
-      env: USE_PSALM=0
+      env:
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "7.4"
-      env: USE_PSALM=1
+      env: 
+        - USE_PSALM=1
+        - BUILD_PHAR=0
     - php: "8.0"
       # psalm currently doesn't like our \[#SensitiveParameter]s
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=0
     - php: "8.1"
       # psalm currently doesn't like our \[#SensitiveParameter]s
-      env: USE_PSALM=0
+      env: 
+        - USE_PSALM=0
+        - BUILD_PHAR=1
     - php: "8.2"
-      env: USE_PSALM=1
+      env:
+        - USE_PSALM=1
+        - BUILD_PHAR=1
       dist: focal
     - php: "nightly"
-      env: USE_PSALM=1
+      env: 
+        - USE_PSALM=1
+        - BUILD_PHAR=1
     - php: "hhvm"
-      env: USE_PSALM=1
+      env: 
+        - USE_PSALM=1
+        - BUILD_PHAR=1
   allow_failures:
     - php: "nightly"
     - php: "hhvm"
@@ -42,13 +64,13 @@ before_script:
     - phpenv config-add extra_php_config.ini
 script:
     - ./test.sh
-#     - mkdir /tmp/box
-#     - chmod 755 /tmp/box
-#     - curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box
-#     - chmod 755 /tmp/box/box
-#     - PATH="$PATH:/tmp/box/" which box
-#     - PATH="$PATH:/tmp/box/" make -C dist/ build-phar
-#     - ./test.sh dist/defuse-crypto.phar
+    - if [[ $BUILD_PHAR -eq 1 ]]; then mkdir /tmp/box; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then chmod 755 /tmp/box; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then curl -LSs https://github.com/box-project/box/releases/download/4.3.8/box.phar -o /tmp/box/box; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then chmod 755 /tmp/box/box; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then PATH="$PATH:/tmp/box/" which box; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then PATH="$PATH:/tmp/box/" make -C dist/ build-phar; fi
+    - if [[ $BUILD_PHAR -eq 1 ]]; then ./test.sh dist/phar-testing-autoload.php; fi
     - if [[ $USE_PSALM -eq 1 ]]; then composer require --with-all-dependencies --dev "vimeo/psalm:dev-master"; fi
     - if [[ $USE_PSALM -eq 1 ]]; then composer install; fi
     - if [[ $USE_PSALM -eq 1 ]]; then vendor/bin/psalm; fi
diff --git a/README.md b/README.md
index 499b592..0e76317 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ support](https://www.php.net/supported-versions.php), which at the time of
 writing means PHP 8.0 or later. Using this library with an unsupported
 version of PHP could lead to security vulnerabilities.
 
-The current version of `php-encryption` is v2.3.1. This library is expected to
+The current version of `php-encryption` is v2.4.0. This library is expected to
 remain stable and supported by its authors with security and bugfixes until at
 least January 1st, 2024.
 
@@ -99,23 +99,26 @@ a formal audit, please [contact Taylor Hornby](https://defuse.ca/contact.htm).
 Public Keys
 ------------
 
-The GnuPG public key used to sign current and older releases is available in
-[dist/signingkey.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey.asc). Its fingerprint is:
+The GnuPG public key used to sign the current and new releases is available in
+[dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is:
 
 ```
-2FA6 1D8D 99B9 2658 6BAC  3D53 385E E055 A129 1538
+6DD6 E677 0281 5846 FC85  25A3 DD2E 507F 7BDB 1669
 ```
 
 You can verify it against Taylor Hornby's [contact
 page](https://defuse.ca/contact.htm) and
-[twitter](https://twitter.com/DefuseSec/status/723741424253059074).
+[twitter](https://twitter.com/DefuseSec/status/1670840796743081984).
 
-Due to the old key expiring, new releases will be signed with a new public key
-available in [dist/signingkey-new.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc). Its fingerprint is:
+Older releases were signed with a (now-expired) available in
+[dist/signingkey-old.asc](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-old.asc). The old key's fingerprint is:
 
 ```
-6DD6 E677 0281 5846 FC85  25A3 DD2E 507F 7BDB 1669
+2FA6 1D8D 99B9 2658 6BAC  3D53 385E E055 A129 1538
 ```
 
+The old key's fingerprint can be verified against Taylor Hornby's [contact page](https://defuse.ca/contact.htm) and
+[twitter](https://twitter.com/DefuseSec/status/723741424253059074).
+
 A signature of this new key by the old key is available in
 [dist/signingkey-new.asc.sig](https://github.com/defuse/php-encryption/raw/master/dist/signingkey-new.asc.sig).
diff --git a/composer.json b/composer.json
index 7f15ba0..29a1d52 100644
--- a/composer.json
+++ b/composer.json
@@ -26,8 +26,8 @@
         "php":  ">=5.6.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^5|^6|^7|^8|^9|^10",
-        "yoast/phpunit-polyfills": "^2.0.0"
+        "yoast/phpunit-polyfills": "^2.0.0",
+        "phpunit/phpunit": "^5|^6|^7|^8|^9|^10"
     },
     "bin": [
         "bin/generate-defuse-key"
diff --git a/dist/Makefile b/dist/Makefile
index 833e479..bffe616 100644
--- a/dist/Makefile
+++ b/dist/Makefile
@@ -31,7 +31,7 @@ clean:
 
 defuse-crypto.phar: dist/box.json composer.lock
 	cp dist/box.json .
-	php -d phar.readonly=0 $(box) build -c box.json -v
+	php $(box) compile -c box.json -v
 
 composer.lock:
 	$(composer) config autoloader-suffix $(gitcommit)
diff --git a/dist/box.json b/dist/box.json
index f225f78..3c81e95 100644
--- a/dist/box.json
+++ b/dist/box.json
@@ -15,9 +15,6 @@
             "exclude": "other"
         }
     ],
-    "compactors": [
-        "Herrera\\Box\\Compactor\\Php"
-    ],
     "main": "vendor/autoload.php",
     "output": "defuse-crypto.phar",
     "shebang": false,
diff --git a/dist/phar-testing-autoload.php b/dist/phar-testing-autoload.php
new file mode 100644
index 0000000..433395a
--- /dev/null
+++ b/dist/phar-testing-autoload.php
@@ -0,0 +1,4 @@
+<?php
+    require 'defuse-crypto.phar';
+    require realpath(dirname(__FILE__) . '/../vendor/yoast/phpunit-polyfills/phpunitpolyfills-autoload.php');
+?>
diff --git a/dist/signingkey.asc b/dist/signingkey-old.asc
similarity index 100%
rename from dist/signingkey.asc
rename to dist/signingkey-old.asc
diff --git a/docs/InternalDeveloperDocs.md b/docs/InternalDeveloperDocs.md
index b68f710..75d4a2c 100644
--- a/docs/InternalDeveloperDocs.md
+++ b/docs/InternalDeveloperDocs.md
@@ -111,7 +111,7 @@ Check out the branch you want to release:
 git checkout <branchname>
 ```
 
-Check that the version number in composer.json is correct:
+Check that the version number in composer.json is correct (or not specified so that it gets picked up from the git tag):
 
 ```
 cat composer.json
@@ -141,7 +141,7 @@ Test the `.phar`:
 
 ```
 cd ../
-./test.sh dist/defuse-crypto.phar
+./test.sh dist/phar-testing-autoload.php
 ```
 
 Sign the `.phar`: