Verify GitHub build attestations from PHP?
Yes, two ways depending on what you need.
In your code
k2gl/sigstore-verify verifies GitHub
build-provenance attestations (DSSE in-toto bundles) in pure PHP — certificate
chain, Rekor transparency-log inclusion, and that the signing identity is a GitHub
Actions workflow of the expected repository.
composer require k2gl/sigstore-verify
At install time
k2gl/composer-attest is a Composer plugin that does
this automatically as you install dependencies — it hashes each package’s dist,
asks GitHub for an attestation bound to that digest, and verifies it.
composer require --dev k2gl/composer-attest
Is it correct?
The verifier is cross-checked against GitHub’s own gh attestation verify
(sigstore-go): on a real attested package both agree — verified on the clean
artifact, rejected on a tampered one. Two independent implementations, same verdict.
See the walkthrough.