Composer attestation checker
Does a Packagist package publish verifiable build provenance? This resolves the release, downloads its dist zip, hashes it and verifies GitHub's attestations for that exact digest — the same check k2gl/composer-attest runs at install time.
Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.
Result
What a verified result means
verified — GitHub holds a build-provenance attestation whose subject digest equals the zip Composer would install, signed by a GitHub Actions workflow of the package's own repository and logged in the Rekor transparency log. You know which workflow, from which commit, produced the artifact. no attestation — the release simply doesn't publish provenance (that's still the norm on Packagist). failed — an attestation exists but doesn't verify; treat that seriously.
Checks run against the release dist zip (capped at 64 MiB) and are cached for 15 minutes.
Check it at install time instead
composer require --dev k2gl/composer-attest
The plugin performs this verification for every package on every install/update, and
composer attest audits an existing lock file. See
k2gl/composer-attest and the
install-time verification guide — and
attest your own package so this page says
verified about you.