Packages · supply-chain

k2gl/dsse

Sign and verify DSSE envelopes (Dead Simple Signing Envelope) in PHP.

The signing envelope in-toto and Sigstore are built on — PAE encoding and ECDSA/Ed25519 signers included.

k2gl/dsse version on Packagist k2gl/dsse total downloads k2gl/dsse license

Install

composer require k2gl/dsse
PHP
>=8.1

Reach for it when

  • You need to sign or verify a DSSE envelope directly (PAE, ECDSA/Ed25519).
  • You’re implementing in-toto or a Sigstore-adjacent format.

Look elsewhere when

  • You want a full Sigstore bundle with cert + log entry — sigstore-sign / sigstore-verify build on this.

k2gl/dsse

Sign and verify DSSE (Dead Simple Signing Envelope) payloads in PHP with pluggable keys. It's the envelope Sigstore, in-toto, SLSA and npm provenance use to wrap a signed payload.

It gives you the three pieces of the spec and nothing else:

  • PAE — the exact, binary-safe byte string that gets signed.
  • Envelope — the JSON envelope (payload / payloadType / signatures) with lossless (de)serialization.
  • Signer / Verifier — tiny interfaces so you can plug in any key (or a remote KMS/HSM). ECDSA (P-256/384/521), Ed25519, and RSA (PKCS#1 v1.5) implementations are included.

Install

composer require k2gl/dsse

Requires PHP 8.1+. The bundled signers use ext-openssl (ECDSA P-256/384/521, RSA) and ext-sodium (Ed25519); both ship with PHP by default. The core (Pae, Envelope) needs neither.

Usage

PAE — what actually gets signed

use K2gl\Dsse\Pae;

Pae::encode('http://example.com/HelloWorld', 'hello world');
// "DSSEv1 29 http://example.com/HelloWorld 11 hello world"

Lengths are byte counts, so the encoding is unambiguous for any payload, including binary data.

Sign

use K2gl\Dsse\Envelope;
use K2gl\Dsse\EcdsaP256Signer;

$signer   = EcdsaP256Signer::fromPem($privateKeyPem, keyId: 'k1');
$envelope = Envelope::sign('hello world', 'http://example.com/HelloWorld', $signer);

echo $envelope->toJson();
// {"payload":"aGVsbG8gd29ybGQ=","payloadType":"http://example.com/HelloWorld","signatures":[{"keyid":"k1","sig":"..."}]}

Envelope::sign() accepts several signers to produce a multi-signature envelope.

Verify

use K2gl\Dsse\Envelope;
use K2gl\Dsse\EcdsaP256Verifier;
use K2gl\Dsse\Exception\SignatureVerificationFailed;

$envelope = Envelope::fromJson($json);

try {
    $payload = $envelope->verify(EcdsaP256Verifier::fromPem($publicKeyPem));
    // $payload === 'hello world'
} catch (SignatureVerificationFailed) {
    // no signature matched any supplied verifier
}

The envelope is accepted if any signature verifies against any verifier you pass, mirroring the spec's verification model. Pass several verifiers to accept a set of trusted keys.

Ed25519

use K2gl\Dsse\Ed25519Signer;
use K2gl\Dsse\Ed25519Verifier;

$keypair  = sodium_crypto_sign_keypair();
$signer   = new Ed25519Signer(sodium_crypto_sign_secretkey($keypair), 'ed-1');
$verifier = new Ed25519Verifier(sodium_crypto_sign_publickey($keypair));

ECDSA P-384 / P-521 and RSA

The other bundled algorithms follow the same fromPem() pattern:

use K2gl\Dsse\EcdsaP384Signer;
use K2gl\Dsse\EcdsaP384Verifier;
use K2gl\Dsse\RsaSigner;
use K2gl\Dsse\RsaVerifier;

$signer   = EcdsaP384Signer::fromPem($p384PrivateKeyPem);
$verifier = EcdsaP384Verifier::fromPem($p384PublicKeyPem);

// RSASSA-PKCS1-v1_5; hash algorithm defaults to sha256 (sha384/sha512 also supported)
$rsaSigner   = RsaSigner::fromPem($rsaPrivateKeyPem, hashAlgorithm: 'sha512');
$rsaVerifier = RsaVerifier::fromPem($rsaPublicKeyPem, hashAlgorithm: 'sha512');

EcdsaP521Signer / EcdsaP521Verifier work identically.

Loading a key without knowing its algorithm

When a key arrives as a PEM file or a JWK from a JWKS endpoint, PublicKey picks the right verifier for you — RSA, ECDSA (P-256/384/521) or Ed25519 — so you don't have to branch on the algorithm yourself:

use K2gl\Dsse\PublicKey;

$verifier = PublicKey::fromPem($publicKeyPem); // detects the algorithm and curve
$verifier = PublicKey::fromJwk($jwk);          // EC / RSA / OKP (Ed25519)

$payload = $envelope->verify($verifier);

RSA keys carry no hash, so these verify with SHA-256; for another hash use RsaVerifier::fromPem($pem, hashAlgorithm: 'sha512') directly.

KeyId computes the two identifiers commonly used for a signature's keyId:

use K2gl\Dsse\KeyId;

KeyId::sha256Spki($publicKeyPem); // hex SHA-256 of the DER key (cosign / Sigstore style)
KeyId::jwkThumbprint($jwk);       // RFC 7638 base64url thumbprint

Plugging in your own key backend

Implement two methods to sign with a KMS/HSM or any other scheme:

use K2gl\Dsse\Signer;

final class KmsSigner implements Signer
{
    public function sign(string $message): string { /* sign PAE bytes, return raw signature */ }
    public function keyId(): ?string { return 'arn:aws:kms:...'; }
}

Design

  • Crypto-agnostic core. Pae and Envelope carry no cryptography; signing is delegated to Signer / Verifier, so you control the algorithm and key storage.
  • Raw signatures. The bundled ECDSA signers emit raw r||s signatures (64/96/132 bytes for P-256/384/521) (the form DSSE/JOSE/WebCrypto/Sigstore use), converting to and from OpenSSL's DER internally. The verifier accepts both raw r||s and ASN.1 DER signatures, detecting the encoding automatically — so DER signatures (OpenSSL native, Sigstore bundles) verify without any extra wiring.
  • Strict and typed. declare(strict_types=1) throughout, analysed at PHPStan level 9; every exception implements DsseException.

License

MIT — see LICENSE.

Based on the DSSE specification (Apache-2.0) by the Secure Systems Lab; this is an independent, clean-room PHP implementation.

API

Public classes and methods, generated from the source.

K2gl\Dsse\EcdsaP256Signer class

  • fromPem(string $pem, ?string $keyId = null): self
  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\EcdsaP256Verifier class

  • fromPem(string $pem): self
  • verify(string $message, string $signature): bool

K2gl\Dsse\EcdsaP384Signer class

  • fromPem(string $pem, ?string $keyId = null): self
  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\EcdsaP384Verifier class

  • fromPem(string $pem): self
  • verify(string $message, string $signature): bool

K2gl\Dsse\EcdsaP521Signer class

  • fromPem(string $pem, ?string $keyId = null): self
  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\EcdsaP521Verifier class

  • fromPem(string $pem): self
  • verify(string $message, string $signature): bool

K2gl\Dsse\Ed25519Signer class

  • __construct( private readonly string $secretKey, private readonly ?string $keyId = null, )
  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\Ed25519Verifier class

  • __construct(private readonly string $publicKey)
  • verify(string $message, string $signature): bool

K2gl\Dsse\Envelope class

  • __construct( public readonly string $payload, public readonly string $payloadType, public readonly array $signatures, )
  • pae(): string
  • sign(string $payload, string $payloadType, Signer ...$signers): self
  • verify(Verifier ...$verifiers): string
  • fromJson(string $json): self
  • fromArray(array $data): self
  • toArray(): array
  • toJson(): string

K2gl\Dsse\Exception\CryptoException class

K2gl\Dsse\Exception\DsseException interface

K2gl\Dsse\Exception\InvalidEnvelopeException class

K2gl\Dsse\Exception\SignatureVerificationFailed class

K2gl\Dsse\KeyId class

  • sha256Spki(string $publicKeyPem): string
  • jwkThumbprint(array $jwk): string

K2gl\Dsse\Pae class

  • encode(string $payloadType, string $payload): string

K2gl\Dsse\PublicKey class

  • fromPem(string $pem): Verifier
  • fromJwk(array $jwk): Verifier

K2gl\Dsse\RsaSigner class

  • fromPem(string $pem, ?string $keyId = null, string $hashAlgorithm = 'sha256'): self
  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\RsaVerifier class

  • fromPem(string $pem, string $hashAlgorithm = 'sha256'): self
  • verify(string $message, string $signature): bool

K2gl\Dsse\Signature class

  • __construct( public readonly string $sig, public readonly ?string $keyId = null, )

K2gl\Dsse\Signer interface

  • sign(string $message): string
  • keyId(): ?string

K2gl\Dsse\Verifier interface

  • verify(string $message, string $signature): bool