Start here

k2gl is a family of PHP packages for software supply-chain security — a pure-PHP Sigstore verifier and signer, the attestation formats underneath, and Composer plugins — plus a few general-purpose utilities. Pick the path that matches what you need.

Verify what you install

Check that your dependencies were really built by their repositories' CI, at composer install time:

composer require --dev k2gl/composer-attest

Guide: verify provenance at install →

Sign your own releases

If you publish a package, attest its provenance so others can verify it — one line in a release workflow:

- uses: k2gl/composer-attest-action@v1

Guide: attest your package →

Reach for a single library

Every layer is its own package — verification, signing, DSSE, in-toto, SLSA, TUF, Rekor. Browse them by type:

All packages → · How they fit together →

Reading with an agent?

Every package has a machine-readable twin. Start from llms.txt, or append .md / .json to any package URL for the same content without the HTML.