SSH signature verifier
Verify an SSHSIG
signature — the format behind ssh-keygen -Y sign and SSH-signed git commits —
against the message it covers, and optionally against an allowed_signers identity.
Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.
Result
Two modes, like OpenSSH's own
Without an allowed_signers list this runs
ssh-keygen -Y check-novalidate semantics: the signature is checked against the
message and the embedded public key — proof of integrity, but nothing ties that key to a
person. Supply the list and an expected identity to get full
ssh-keygen -Y verify semantics: principal match, namespace match and the
key's validity window.
Do it in PHP
use K2gl\Sshsig\AllowedSigners;
use K2gl\Sshsig\SshsigVerifier;
// The ssh-keygen -Y verify semantics: signature, principal, namespace,
// validity window — throws unless everything checks out.
$verified = new SshsigVerifier()->verify(
message: $message,
armoredSignature: $armored,
allowedSigners: AllowedSigners::fromFile('allowed_signers'),
identity: 'alice@example.com',
namespace: 'file',
); Powered by k2gl/sshsig — Ed25519, ECDSA and RSA, byte-compatible with OpenSSH.