Start here
k2gl is a family of PHP packages for software supply-chain security — a pure-PHP Sigstore verifier and signer, the attestation formats underneath, and Composer plugins — plus a few general-purpose utilities. Pick the path that matches what you need.
Verify what you install
Check that your dependencies were really built by their repositories' CI, at
composer install time:
composer require --dev k2gl/composer-attest Guide: verify provenance at install →
Sign your own releases
If you publish a package, attest its provenance so others can verify it — one line in a release workflow:
- uses: k2gl/composer-attest-action@v1 Reach for a single library
Every layer is its own package — verification, signing, DSSE, in-toto, SLSA, TUF, Rekor. Browse them by type:
All packages → · How they fit together →
Reading with an agent?
Every package has a machine-readable twin. Start from
llms.txt, or append .md / .json
to any package URL for the same content without the HTML.