Guides
- Verify build provenance at composer install
Add the composer-attest plugin so Composer checks each dependency's GitHub build-provenance attestation as it downloads it.
- Sign and verify a blob end to end
Produce a Sigstore bundle for an artifact with sigstore-sign, then verify it with sigstore-verify — keyless, in pure PHP.