Sigstore bundle inspector
Decode a Sigstore bundle
(.sigstore.json, cosign output, a GitHub attestation) and verify it — certificate
chain, transparency log and signature — against the Sigstore public-good trust root.
Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.
Result
Observed vs expected identity
Without an expected identity the tool verifies the bundle against the identity observed in its own certificate: the chain to Fulcio, the transparency-log proof and the signature are all checked for real, which proves the bundle is authentic and logged — but not who signed it. To prove authorship, pin the SAN and issuer you expect (in CI you'd pin your repository and workflow). Supplying the artifact digest additionally proves the signature covers your file.
What's inside a bundle
A Sigstore bundle carries everything verification needs: the short-lived signing
certificate (whose Fulcio
extensions record the OIDC identity, repository, workflow and commit), the
Rekor transparency-log entry proving the signature was
published, and the signature itself — either a DSSE envelope (attestations, provenance) or
a raw messageSignature over an artifact digest.
Do it in PHP
use K2gl\Sigstore\Bundle;
use K2gl\Sigstore\IdentityPolicy;
use K2gl\Sigstore\SigstoreVerifier;
use K2gl\Sigstore\SubjectPolicy;
use K2gl\Sigstore\TrustedRoot;
$envelope = new SigstoreVerifier()->verify(
bundle: Bundle::fromJson($bundleJson),
trustedRoot: TrustedRoot::fromSigstorePublicGood(),
identityPolicy: IdentityPolicy::githubActions(
repository: 'your/repo',
workflow: 'release.yml',
ref: 'refs/heads/main',
),
subjectPolicy: new SubjectPolicy('sha256', hash_file('sha256', $artifact)),
); Powered by k2gl/sigstore-verify — a pure-PHP verifier that passes the official Sigstore conformance suite. To build bundles, see k2gl/sigstore-sign and k2gl/sigstore-bundle.