SSH signature verifier

Verify an SSHSIG signature — the format behind ssh-keygen -Y sign and SSH-signed git commits — against the message it covers, and optionally against an allowed_signers identity.

Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.

allowed_signers (optional — ties the key to an identity, like ssh-keygen -Y verify)

Two modes, like OpenSSH's own

Without an allowed_signers list this runs ssh-keygen -Y check-novalidate semantics: the signature is checked against the message and the embedded public key — proof of integrity, but nothing ties that key to a person. Supply the list and an expected identity to get full ssh-keygen -Y verify semantics: principal match, namespace match and the key's validity window.

Do it in PHP

use K2gl\Sshsig\AllowedSigners;
use K2gl\Sshsig\SshsigVerifier;

// The ssh-keygen -Y verify semantics: signature, principal, namespace,
// validity window — throws unless everything checks out.
$verified = new SshsigVerifier()->verify(
    message: $message,
    armoredSignature: $armored,
    allowedSigners: AllowedSigners::fromFile('allowed_signers'),
    identity: 'alice@example.com',
    namespace: 'file',
);

Powered by k2gl/sshsig — Ed25519, ECDSA and RSA, byte-compatible with OpenSSH.