Packages · supply-chain
k2gl/dsse
Sign and verify DSSE envelopes (Dead Simple Signing Envelope) in PHP.
The signing envelope in-toto and Sigstore are built on — PAE encoding and ECDSA/Ed25519 signers included.
Install
composer require k2gl/dsse Reach for it when
- You need to sign or verify a DSSE envelope directly (PAE, ECDSA/Ed25519).
- You’re implementing in-toto or a Sigstore-adjacent format.
Look elsewhere when
- You want a full Sigstore bundle with cert + log entry — sigstore-sign / sigstore-verify build on this.
k2gl/dsse
Sign and verify DSSE (Dead Simple Signing Envelope) payloads in PHP with pluggable keys. It's the envelope Sigstore, in-toto, SLSA and npm provenance use to wrap a signed payload.
It gives you the three pieces of the spec and nothing else:
- PAE — the exact, binary-safe byte string that gets signed.
- Envelope — the JSON envelope (
payload/payloadType/signatures) with lossless (de)serialization. - Signer / Verifier — tiny interfaces so you can plug in any key (or a remote KMS/HSM). ECDSA (P-256/384/521), Ed25519, and RSA (PKCS#1 v1.5) implementations are included.
Install
composer require k2gl/dsse
Requires PHP 8.1+. The bundled signers use ext-openssl (ECDSA P-256/384/521, RSA) and
ext-sodium (Ed25519); both ship with PHP by default. The core (Pae, Envelope)
needs neither.
Usage
PAE — what actually gets signed
use K2gl\Dsse\Pae;
Pae::encode('http://example.com/HelloWorld', 'hello world');
// "DSSEv1 29 http://example.com/HelloWorld 11 hello world"
Lengths are byte counts, so the encoding is unambiguous for any payload, including binary data.
Sign
use K2gl\Dsse\Envelope;
use K2gl\Dsse\EcdsaP256Signer;
$signer = EcdsaP256Signer::fromPem($privateKeyPem, keyId: 'k1');
$envelope = Envelope::sign('hello world', 'http://example.com/HelloWorld', $signer);
echo $envelope->toJson();
// {"payload":"aGVsbG8gd29ybGQ=","payloadType":"http://example.com/HelloWorld","signatures":[{"keyid":"k1","sig":"..."}]}
Envelope::sign() accepts several signers to produce a multi-signature envelope.
Verify
use K2gl\Dsse\Envelope;
use K2gl\Dsse\EcdsaP256Verifier;
use K2gl\Dsse\Exception\SignatureVerificationFailed;
$envelope = Envelope::fromJson($json);
try {
$payload = $envelope->verify(EcdsaP256Verifier::fromPem($publicKeyPem));
// $payload === 'hello world'
} catch (SignatureVerificationFailed) {
// no signature matched any supplied verifier
}
The envelope is accepted if any signature verifies against any verifier you pass, mirroring the spec's verification model. Pass several verifiers to accept a set of trusted keys.
Ed25519
use K2gl\Dsse\Ed25519Signer;
use K2gl\Dsse\Ed25519Verifier;
$keypair = sodium_crypto_sign_keypair();
$signer = new Ed25519Signer(sodium_crypto_sign_secretkey($keypair), 'ed-1');
$verifier = new Ed25519Verifier(sodium_crypto_sign_publickey($keypair));
ECDSA P-384 / P-521 and RSA
The other bundled algorithms follow the same fromPem() pattern:
use K2gl\Dsse\EcdsaP384Signer;
use K2gl\Dsse\EcdsaP384Verifier;
use K2gl\Dsse\RsaSigner;
use K2gl\Dsse\RsaVerifier;
$signer = EcdsaP384Signer::fromPem($p384PrivateKeyPem);
$verifier = EcdsaP384Verifier::fromPem($p384PublicKeyPem);
// RSASSA-PKCS1-v1_5; hash algorithm defaults to sha256 (sha384/sha512 also supported)
$rsaSigner = RsaSigner::fromPem($rsaPrivateKeyPem, hashAlgorithm: 'sha512');
$rsaVerifier = RsaVerifier::fromPem($rsaPublicKeyPem, hashAlgorithm: 'sha512');
EcdsaP521Signer / EcdsaP521Verifier work identically.
Loading a key without knowing its algorithm
When a key arrives as a PEM file or a JWK from a JWKS endpoint, PublicKey picks the
right verifier for you — RSA, ECDSA (P-256/384/521) or Ed25519 — so you don't have to
branch on the algorithm yourself:
use K2gl\Dsse\PublicKey;
$verifier = PublicKey::fromPem($publicKeyPem); // detects the algorithm and curve
$verifier = PublicKey::fromJwk($jwk); // EC / RSA / OKP (Ed25519)
$payload = $envelope->verify($verifier);
RSA keys carry no hash, so these verify with SHA-256; for another hash use
RsaVerifier::fromPem($pem, hashAlgorithm: 'sha512') directly.
KeyId computes the two identifiers commonly used for a signature's keyId:
use K2gl\Dsse\KeyId;
KeyId::sha256Spki($publicKeyPem); // hex SHA-256 of the DER key (cosign / Sigstore style)
KeyId::jwkThumbprint($jwk); // RFC 7638 base64url thumbprint
Plugging in your own key backend
Implement two methods to sign with a KMS/HSM or any other scheme:
use K2gl\Dsse\Signer;
final class KmsSigner implements Signer
{
public function sign(string $message): string { /* sign PAE bytes, return raw signature */ }
public function keyId(): ?string { return 'arn:aws:kms:...'; }
}
Design
- Crypto-agnostic core.
PaeandEnvelopecarry no cryptography; signing is delegated toSigner/Verifier, so you control the algorithm and key storage. - Raw signatures. The bundled ECDSA signers emit raw
r||ssignatures (64/96/132 bytes for P-256/384/521) (the form DSSE/JOSE/WebCrypto/Sigstore use), converting to and from OpenSSL's DER internally. The verifier accepts both rawr||sand ASN.1 DER signatures, detecting the encoding automatically — so DER signatures (OpenSSL native, Sigstore bundles) verify without any extra wiring. - Strict and typed.
declare(strict_types=1)throughout, analysed at PHPStan level 9; every exception implementsDsseException.
License
MIT — see LICENSE.
Based on the DSSE specification (Apache-2.0) by the Secure Systems Lab; this is an independent, clean-room PHP implementation.
API
Public classes and methods, generated from the source.
K2gl\Dsse\EcdsaP256Signer class
fromPem(string $pem, ?string $keyId = null): selfsign(string $message): stringkeyId(): ?string
K2gl\Dsse\EcdsaP256Verifier class
fromPem(string $pem): selfverify(string $message, string $signature): bool
K2gl\Dsse\EcdsaP384Signer class
fromPem(string $pem, ?string $keyId = null): selfsign(string $message): stringkeyId(): ?string
K2gl\Dsse\EcdsaP384Verifier class
fromPem(string $pem): selfverify(string $message, string $signature): bool
K2gl\Dsse\EcdsaP521Signer class
fromPem(string $pem, ?string $keyId = null): selfsign(string $message): stringkeyId(): ?string
K2gl\Dsse\EcdsaP521Verifier class
fromPem(string $pem): selfverify(string $message, string $signature): bool
K2gl\Dsse\Ed25519Signer class
__construct( private readonly string $secretKey, private readonly ?string $keyId = null, )sign(string $message): stringkeyId(): ?string
K2gl\Dsse\Ed25519Verifier class
__construct(private readonly string $publicKey)verify(string $message, string $signature): bool
K2gl\Dsse\Envelope class
__construct( public readonly string $payload, public readonly string $payloadType, public readonly array $signatures, )pae(): stringsign(string $payload, string $payloadType, Signer ...$signers): selfverify(Verifier ...$verifiers): stringfromJson(string $json): selffromArray(array $data): selftoArray(): arraytoJson(): string
K2gl\Dsse\Exception\CryptoException class
K2gl\Dsse\Exception\DsseException interface
K2gl\Dsse\Exception\InvalidEnvelopeException class
K2gl\Dsse\Exception\SignatureVerificationFailed class
K2gl\Dsse\KeyId class
sha256Spki(string $publicKeyPem): stringjwkThumbprint(array $jwk): string
K2gl\Dsse\Pae class
encode(string $payloadType, string $payload): string
K2gl\Dsse\PublicKey class
fromPem(string $pem): VerifierfromJwk(array $jwk): Verifier
K2gl\Dsse\RsaSigner class
fromPem(string $pem, ?string $keyId = null, string $hashAlgorithm = 'sha256'): selfsign(string $message): stringkeyId(): ?string
K2gl\Dsse\RsaVerifier class
fromPem(string $pem, string $hashAlgorithm = 'sha256'): selfverify(string $message, string $signature): bool
K2gl\Dsse\Signature class
__construct( public readonly string $sig, public readonly ?string $keyId = null, )
K2gl\Dsse\Signer interface
sign(string $message): stringkeyId(): ?string
K2gl\Dsse\Verifier interface
verify(string $message, string $signature): bool