Verify SSH signatures in PHP?
Yes. k2gl/sshsig implements the OpenSSH
SSHSIG
format — what ssh-keygen -Y sign produces and what git uses for SSH-signed
commits and tags — in pure PHP. Ed25519, ECDSA (P-256/384/521) and RSA.
Both OpenSSH modes
verify— against anallowed_signerslist: principal match, namespace, key validity window. The full trust decision.check-novalidate— signature integrity only, when you just need “this key signed these bytes”.
use K2gl\Sshsig\AllowedSigners;
use K2gl\Sshsig\SshsigVerifier;
$verified = new SshsigVerifier()->verify(
message: $bytes,
armoredSignature: $armored,
allowedSigners: AllowedSigners::fromFile('allowed_signers'),
identity: 'alice@example.com',
namespace: 'file',
);
Signing is covered too (SshsigSigner, OpenSSH and PKCS#8 keys).
Try it without writing code
Paste a message and its -----BEGIN SSH SIGNATURE----- block into the
SSH signature verifier — it runs on this package.
For Sigstore-backed signing with certificates and a transparency log instead, see the supply-chain overview.