Software supply-chain security for PHP

When you run composer install, you download and execute code from dozens of repositories. Nothing in the default toolchain checks who built each package or how. composer.lock pins a dist hash, so it gives you the same bytes every time — that's integrity, not provenance. If a release is malicious, the lock file faithfully pins the malicious hash.

Sigstore and build-provenance attestations close that gap: a signed statement that an artifact was built by a specific workflow in a specific repository, recorded in a public transparency log. These packages bring the full loop to PHP — producing it, consuming it, and the formats in between.

The stack

Each layer is a separate package, so you take only what you need:

At install time

k2gl/composer-attest is a Composer plugin that verifies GitHub build-provenance attestations as packages are downloaded — checking that each dependency was really built by its repository's CI. k2gl/composer-license-gate gates dependency licenses against an allow/deny policy in the same install step.

How they build on each other

Each package depends only on the layers it needs — nothing pulls in the whole family. The k2gl dependencies of each supply-chain package:

Conformance

The verifier and signer pass the official sigstore-conformance suite for both verifying and signing. See the walkthrough for the full loop on real packages.