PHPackages apex/signer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. apex/signer ActivePackage[Security](/categories/security) apex/signer =========== Digital signatures and verification for your Composer packages. 2.0(4y ago)189819MITPHPPHP >=8.0 Since Jul 1Pushed 4y ago1 watchersCompare [ Source](https://github.com/apexpl/signer)[ Packagist](https://packagist.org/packages/apex/signer)[ Docs](https://apexpl.io)[ RSS](/packages/apex-signer/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (1)Versions (5)Used By (19) Apex Signer =========== [](#apex-signer) Allows authors the ability to easily add digital signatures to releases of their Composer packages, and allows users to easily verify the packages and updates downloaded by Composer to help ensure no unauthorized code has made it into the repositories. Installation ------------ [](#installation) Install via Composer with: > `composer require --dev apex/signer` Verify Downloads ---------------- [](#verify-downloads) Verify all available packages within the /vendor/ directory by running the command: > `./vendor/bin/signer verify` This will go through all installed Composer packages, and look for a signatures.json file in each. When found, the merkle tree of the package will be built from the package contents, and compared to the digital signature found within the signatures.json file for that release. If the author has opted to utilize online signing via the public ledger at , this will also verify the signing certificate against the ledger. Generate Signatures ------------------- [](#generate-signatures) Within the package root directory, initialize the signer with the command: > `./vendor/bin/signer init` Once initialized, the last step just before you run `git commit`, sign the package with the command: > `./vendor/bin/signer sign [VERSION] [PASSWORD]` If the version is unspecified, you will be prompted for one, and the version MUST be the same as what the git repository will be tagged with. This will generate a merkle root of all files being tracked by git, sign it using your private key, and add the necessary entry into the signatures.json file. Once signed, follow the on screen instructions -- add signatures.json to git, commit and push the repository, then tag it with the same version as you created the signature with. Your package will now be included when users verify their packages and yours is within their /vendor/ directory. Sign and Release Package ------------------------ [](#sign-and-release-package) Alternatively, you may complete all steps with the one `release` command: > `./vendor/bin/signer release [VERSION] -m "Your commit message"` Or by including a file for the commit message instead: > `./vendor/bin/signer release [VERSION] --file commit.txt` This will sign the package same as above, but will also commit and push the repository, then tag and push the tags all in one step. This will check your git settings, and push to the correct remote and branch name. Run this command once all files are staged for commit, and you are ready to make the release public. Support ------- [](#support) If you have any questions, issues or feedback, please feel free to drop a note on the [ApexPl Reddit sub](https://reddit.com/r/apexpl/) for a prompt and helpful response. Follow Apex ----------- [](#follow-apex) Loads of good things coming in the near future including new quality open source packages, more advanced articles / tutorials that go over down to earth useful topics, et al. Stay informed by joining the [mailing list](https://apexpl.io/) on our web site, or follow along on Twitter at [@mdizak1](https://twitter.com/mdizak1). ### Health Score 30 — LowBetter than 65% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity17 Limited adoption so far Community17 Small or concentrated contributor base Maturity59 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~71 days Total 4 Last Release 1560d ago Major Versions 0.1.2 → 2.02022-01-30 PHP version history (2 changes)0.1PHP >=8.0.0 2.0PHP >=8.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/4fe486d2ed7db571c0519bb0d52b08b5e953a911936e87331e736a381ef96f29?d=identicon)[apex](/maintainers/apex) --- Top Contributors [![mdizak](https://avatars.githubusercontent.com/u/59886259?v=4)](https://github.com/mdizak "mdizak (5 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/apex-signer/health.svg) ``` [![Health](https://phpackages.com/badges/apex-signer/health.svg)](https://phpackages.com/packages/apex-signer) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M212](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M112](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)