Comparisons

Verify GitHub build attestations from PHP?

Yes, two ways depending on what you need.

In your code

k2gl/sigstore-verify verifies GitHub build-provenance attestations (DSSE in-toto bundles) in pure PHP — certificate chain, Rekor transparency-log inclusion, and that the signing identity is a GitHub Actions workflow of the expected repository.

composer require k2gl/sigstore-verify

At install time

k2gl/composer-attest is a Composer plugin that does this automatically as you install dependencies — it hashes each package’s dist, asks GitHub for an attestation bound to that digest, and verifies it.

composer require --dev k2gl/composer-attest

Is it correct?

The verifier is cross-checked against GitHub’s own gh attestation verify (sigstore-go): on a real attested package both agree — verified on the clean artifact, rejected on a tampered one. Two independent implementations, same verdict. See the walkthrough.