Is there a Sigstore client for PHP?
Yes. k2gl/sigstore-verify is a pure-PHP
implementation of Sigstore verification, and k2gl/sigstore-sign
handles signing (keyful and keyless). Both pass the official
sigstore-conformance suite.
What it covers
- Verification: certificate chain and EKU, Rekor v1/v2 transparency-log inclusion, checkpoint, RFC 3161 timestamp, DSSE envelopes, and identity policy.
- Signing: Fulcio + ambient OIDC (keyless) or your own key, producing a bundle.
- The formats underneath, each as its own package: dsse, in-toto-attestation, slsa-provenance, tuf, rekor-client, sigstore-bundle.
Installing
It’s a library — bring your own PSR-18 HTTP client:
composer require k2gl/sigstore-verify
If what you actually want is to verify your dependencies’ provenance at install
time, k2gl/composer-attest is a Composer plugin that
does exactly that. See the supply-chain overview.