k2gl/sigstore-verify

Offline, fail-closed PHP verifier for Sigstore bundles: Fulcio certificate chain, DSSE or message signature, Rekor v1/v2 transparency-log proof, RFC 3161 timestamp, certificate transparency and identity policy. Passes the official sigstore-conformance suite.

Latest release: 3d ago
Releases: 12
Known CVEs: 0
First release: May 30, 2026
License: MIT

View on Packagist

Repository

Source

k2gl/sigstore-verify

Stars: —
Forks: —
Open issues: —

Security score

No OpenSSF Scorecard available for this repository.

Packages from this repo

No other tracked packages from this repository.

Insights

Activity

Total releases: 12
Last 12 months: 12
Cadence: ~daily
Dependencies: 3

Releases per month

last 12 months

Release mix

major 1
minor 9
patch 1

12 releases

Dependencies

Depends on

1.3.0

k2gl/in-toto-attestation ^1.0
k2gl/tuf ^1.0
phpseclib/phpseclib ^3.0

Used by

k2gl/pragmatic-franken

Releases

Version	Released
`1.3.0` minor	Jun 10, 2026
`1.2.0` minor	Jun 08, 2026
`1.1.0` minor	Jun 08, 2026
`1.0.0` major	Jun 03, 2026
`0.7.0` minor	Jun 02, 2026
`0.6.0` minor	Jun 01, 2026
`0.5.0` minor	Jun 01, 2026
`0.4.0` minor	May 31, 2026
`0.3.0` minor	May 31, 2026
`0.2.0` minor	May 30, 2026
`0.1.1` patch	May 30, 2026
`0.1.0` initial	May 30, 2026

Release calendar

2026

S M T W T F S

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec