Download the PHP package k2gl/in-toto-attestation without Composer
On this page you can find all versions of the php package k2gl/in-toto-attestation. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download k2gl/in-toto-attestation
More information about k2gl/in-toto-attestation
Files in k2gl/in-toto-attestation
Package in-toto-attestation
Short Description Faithful, typed PHP implementation of the in-toto Attestation Framework (Statement v1): build, sign and verify attestations over k2gl/dsse.
License MIT
Homepage https://github.com/k2gl/in-toto-attestation
Informations about the package in-toto-attestation
k2gl/in-toto-attestation
Build, sign and verify in-toto attestation Statements in PHP, both the current v1 and the legacy v0.1 that many real-world bundles still carry. Signed and parsed over DSSE.
An in-toto attestation is a signed claim ("predicate") about one or more artifacts
("subjects"). The claim is a Statement, carried inside a DSSE envelope with payload
type application/vnd.in-toto+json. This package gives you typed, validated Statement
and ResourceDescriptor value objects plus the sign/parse glue to DSSE.
Install
Requires PHP 8.1+. Pulls in k2gl/dsse. The example signers use ext-sodium
(Ed25519) / ext-openssl (ECDSA), both bundled with PHP.
Usage
Build and sign a statement
Verify and parse
fromEnvelope() checks the envelope's payloadType and decodes the payload — always
verify the envelope's signatures (via k2gl/dsse) before trusting the result.
Statement versions
Real-world Sigstore bundles carry in-toto Statements in two schema versions: the current
v1 and the legacy v0.1 (often wrapping a SLSA Provenance v0.2 predicate). fromJson()
and fromEnvelope() parse both and expose which one was decoded:
New statements default to v1. To build a v0.1 statement, pass the version explicitly:
Scope
This package models the Statement layer (the generic envelope payload). Concrete
predicate types — SLSA Provenance, SPDX/CycloneDX, etc. — are intentionally out of scope.
They can be read as the raw predicate array, or modelled by companion packages that
implement Predicate and register a factory in a PredicateRegistry (e.g.
k2gl/slsa-provenance); Statement::predicate() then returns the typed object.
License
MIT — see LICENSE. Independent, clean-room implementation of the in-toto Attestation specification (Apache-2.0).