Comparisons

DSSE envelopes in PHP?

Yes. k2gl/dsse implements the Dead Simple Signing Envelope — the signature wrapper underneath in-toto attestations, SLSA provenance and Sigstore bundles. PAE (pre-authentication encoding), multiple signatures per envelope, key IDs, ECDSA (P-256/384/521), Ed25519 and RSA.

use K2gl\Dsse\Envelope;
use K2gl\Dsse\PublicKey;

// Throws unless a signature checks out; returns the authenticated payload.
$payload = Envelope::fromJson($json)->verify(PublicKey::fromPem($pem));

Keys load from PEM or JWK interchangeably — the same PublicKey class serves the SD-JWT family too.

Why PAE matters

DSSE never signs the raw payload: it signs DSSEv1 <len> <payloadType> <len> <payload>, which binds the payload type into the signature and kills type-confusion attacks. The DSSE debugger shows the exact PAE preimage for any envelope you paste — useful when your verifier and someone else’s signer disagree.

Up the stack

An envelope usually carries an in-toto statement — k2gl/in-toto-attestation types it, k2gl/slsa-provenance types the SLSA predicate, and a full Sigstore bundle adds the certificate and transparency log (overview).