Comparisons
- A cosign alternative for PHP?
cosign is a Go CLI. For PHP, sigstore-verify and sigstore-sign do verification and signing in-process, no shelling out.
- A TUF client for PHP?
Yes — k2gl/tuf is a pure-PHP client for The Update Framework: resolve and verify TUF metadata, no external tooling.
- DSSE envelopes in PHP?
Yes — sign and verify Dead Simple Signing Envelopes (the format under in-toto, SLSA and Sigstore attestations) in pure PHP.
- EUDI wallet relying party in PHP?
Yes — verify the EU Digital Identity Wallet's credential format (SD-JWT VC, dc+sd-jwt) in pure PHP: issuer signature, disclosures, key binding.
- in-toto attestations in PHP?
Yes — k2gl/in-toto-attestation builds and parses in-toto Statements in PHP, ready to carry any predicate (SLSA, SBOM) and be signed with DSSE.
- Is there a Sigstore client for PHP?
Yes — a pure-PHP Sigstore verifier and signer that pass the official conformance suite, plus the attestation formats and a Composer plugin.
- SD-JWT in PHP?
Yes — issue, present and verify Selective Disclosure JWTs (RFC 9901) in pure PHP, with online tools to generate and decode them.
- SLSA provenance in PHP?
Yes — k2gl/slsa-provenance models SLSA v1 and v0.2 provenance predicates as typed PHP, ready to wrap in an in-toto Statement and sign.
- Verify GitHub build attestations from PHP?
Yes — k2gl/sigstore-verify verifies GitHub build-provenance attestations in pure PHP, and composer-attest does it at install time. Cross-checked against gh.
- Verify SSH signatures in PHP?
Yes — SSHSIG (ssh-keygen -Y, SSH-signed git commits) verifies in pure PHP with full allowed_signers semantics, and there's a browser tool to try it.