Verify build provenance at composer install
k2gl/composer-attest verifies GitHub
build-provenance attestations for packages as Composer downloads them — no
separate step in CI to remember.
Install
composer require --dev k2gl/composer-attest
Composer will ask to trust the plugin the first time (it runs during install).
Configure
Set the policy in your root composer.json:
{
"extra": {
"k2gl-attest": {
"mode": "warn",
"require-attestation": false
}
}
}
mode:warn(report only),enforce(fail the install on a bad attestation), oroff.require-attestation: treat a package that publishes no attestation as a failure. Off by default, since most packages don’t publish one yet.
What you’ll see
✓ attestation verified for k2gl/sigstore-verify
· no attestation for some/other-package
Under enforce, a package whose attestation fails verification aborts the install.
How it works
On each package download the plugin hashes the dist, asks GitHub for an attestation
bound to that digest, and verifies the Sigstore bundle with
k2gl/sigstore-verify — checking the certificate
chain, transparency-log inclusion, and that the signing identity is a GitHub
Actions workflow of the package’s own repository.
Most packages don’t attest yet, so expect a lot of “no attestation” today — that’s the state of the ecosystem, not a plugin bug. To attest your own packages, see Sign and verify a blob and the supply-chain overview.