Composer attestation checker

Does a Packagist package publish verifiable build provenance? This resolves the release, downloads its dist zip, hashes it and verifies GitHub's attestations for that exact digest — the same check k2gl/composer-attest runs at install time.

Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.

What a verified result means

verified — GitHub holds a build-provenance attestation whose subject digest equals the zip Composer would install, signed by a GitHub Actions workflow of the package's own repository and logged in the Rekor transparency log. You know which workflow, from which commit, produced the artifact. no attestation — the release simply doesn't publish provenance (that's still the norm on Packagist). failed — an attestation exists but doesn't verify; treat that seriously.

Checks run against the release dist zip (capped at 64 MiB) and are cached for 15 minutes.

Check it at install time instead

composer require --dev k2gl/composer-attest

The plugin performs this verification for every package on every install/update, and composer attest audits an existing lock file. See k2gl/composer-attest and the install-time verification guide — and attest your own package so this page says verified about you.