Comparisons

Is there a Sigstore client for PHP?

Yes. k2gl/sigstore-verify is a pure-PHP implementation of Sigstore verification, and k2gl/sigstore-sign handles signing (keyful and keyless). Both pass the official sigstore-conformance suite.

What it covers

  • Verification: certificate chain and EKU, Rekor v1/v2 transparency-log inclusion, checkpoint, RFC 3161 timestamp, DSSE envelopes, and identity policy.
  • Signing: Fulcio + ambient OIDC (keyless) or your own key, producing a bundle.
  • The formats underneath, each as its own package: dsse, in-toto-attestation, slsa-provenance, tuf, rekor-client, sigstore-bundle.

Installing

It’s a library — bring your own PSR-18 HTTP client:

composer require k2gl/sigstore-verify

If what you actually want is to verify your dependencies’ provenance at install time, k2gl/composer-attest is a Composer plugin that does exactly that. See the supply-chain overview.