Tools
Paste a signature artifact, get it decoded and verified. Every tool runs on the same open-source PHP packages this site documents — the tool output is the package output.
Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.
Sigstore bundle inspectorDecode a .sigstore.json bundle — certificate, Fulcio extensions, transparency log — and verify it for real.DSSE envelope debuggerDecode a DSSE envelope, preview its PAE, and check a signature against your public key.SD-JWT debuggerDecode an SD-JWT or SD-JWT VC: disclosures, recomputed digests, recreated claims, signature.Composer attestation checkerDoes a Packagist package publish verifiable build provenance? Check any vendor/package.SSH signature verifierVerify an SSHSIG signature the ssh-keygen -Y way — with or without an allowed_signers list.SD-JWT generatorIssue a demo SD-JWT with the claims you choose disclosable, signed by a throwaway key.Provenance viewerRender an in-toto statement or SLSA provenance — subjects, builder, dependencies — from JSON or a DSSE envelope.PEM ⇄ JWK converterConvert keys between PEM and JWK entirely in your browser — nothing is uploaded.