Software supply-chain security for PHP
When you run composer install, you download and execute code from
dozens of repositories. Nothing in the default toolchain checks who
built each package or how. composer.lock pins a dist hash,
so it gives you the same bytes every time — that's integrity, not provenance. If
a release is malicious, the lock file faithfully pins the malicious hash.
Sigstore and build-provenance attestations close that gap: a signed statement that an artifact was built by a specific workflow in a specific repository, recorded in a public transparency log. These packages bring the full loop to PHP — producing it, consuming it, and the formats in between.
The stack
Each layer is a separate package, so you take only what you need:
- Verify — k2gl/sigstore-verify: certificate chain, transparency-log inclusion, timestamp, DSSE, identity policy.
- Sign — k2gl/sigstore-sign: keyful or keyless (Fulcio + ambient OIDC), producing a bundle.
- Bundle & log — k2gl/sigstore-bundle, k2gl/rekor-client.
- Attestation formats — k2gl/dsse, k2gl/in-toto-attestation, k2gl/slsa-provenance, k2gl/tuf.
- Signatures & notes — k2gl/sshsig, k2gl/signed-note.
At install time
k2gl/composer-attest is a Composer plugin that verifies GitHub build-provenance attestations as packages are downloaded — checking that each dependency was really built by its repository's CI. k2gl/composer-license-gate gates dependency licenses against an allow/deny policy in the same install step.
Conformance
The verifier and signer pass the official sigstore-conformance suite for both verifying and signing. See the walkthrough for the full loop on real packages.