PHPackages k2gl/in-toto-attestation - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. k2gl/in-toto-attestation ActiveLibrary[Utility & Helpers](/categories/utility) k2gl/in-toto-attestation ======================== Faithful, typed PHP implementation of the in-toto Attestation Framework (Statement v1): build, sign and verify attestations over k2gl/dsse. 1.1.0(1w ago)0166↑857.8%2MITPHPPHP >=8.1CI passing Since May 30Pushed 1w agoCompare [ Source](https://github.com/k2gl/in-toto-attestation)[ Packagist](https://packagist.org/packages/k2gl/in-toto-attestation)[ Docs](https://github.com/k2gl/in-toto-attestation)[ RSS](/packages/k2gl-in-toto-attestation/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (5)Versions (3)Used By (2) k2gl/in-toto-attestation ======================== [](#k2glin-toto-attestation) [![CI](https://camo.githubusercontent.com/7850881436d39ec6ca4994139e6d7791d3644be0e24fb91daaa78e25d27f6e69/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6b32676c2f696e2d746f746f2d6174746573746174696f6e2f63692e796d6c3f6272616e63683d6d61696e266c6162656c3d4349266c6f676f3d676974687562)](https://github.com/k2gl/in-toto-attestation/actions/workflows/ci.yml)[![Latest Stable Version](https://camo.githubusercontent.com/735d03e1a35768b41e334f20bc3ef4a7da9807b1dfbfc1053e54a79038810b57/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6b32676c2f696e2d746f746f2d6174746573746174696f6e3f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/in-toto-attestation)[![Total Downloads](https://camo.githubusercontent.com/a7d63824526acef55ba81671fba3fa6525607a54940ba6e3296fb58dc0995cc0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6b32676c2f696e2d746f746f2d6174746573746174696f6e3f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/in-toto-attestation)[![PHPStan Level](https://camo.githubusercontent.com/01c58e66f2fafb70c17613ff2b1da3f549aade3a735b076da5cd9e5c04b945a5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d3261356561373f6c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://phpstan.org)[![License](https://camo.githubusercontent.com/495b67c5f160cfd580db78b2504816b63cc771a97b90473729debb3d59146d71/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6b32676c2f696e2d746f746f2d6174746573746174696f6e3f636f6c6f723d79656c6c6f77677265656e)](https://packagist.org/packages/k2gl/in-toto-attestation) A faithful, typed PHP implementation of the [in-toto Attestation Framework](https://github.com/in-toto/attestation) **Statement** — both the current **v1** and the legacy **v0.1** still carried by many real-world bundles — built on [`k2gl/dsse`](https://github.com/k2gl/dsse). An in-toto attestation is a signed claim ("predicate") about one or more artifacts ("subjects"). The claim is a **Statement**, carried inside a DSSE envelope with payload type `application/vnd.in-toto+json`. This package gives you typed, validated `Statement`and `ResourceDescriptor` value objects plus the sign/parse glue to DSSE. Install ------- [](#install) ``` composer require k2gl/in-toto-attestation ``` Requires PHP 8.1+. Pulls in `k2gl/dsse`. The example signers use `ext-sodium`(Ed25519) / `ext-openssl` (ECDSA), both bundled with PHP. Usage ----- [](#usage) ### Build and sign a statement [](#build-and-sign-a-statement) ``` use K2gl\InToto\Statement; use K2gl\InToto\ResourceDescriptor; use K2gl\Dsse\Ed25519Signer; $statement = new Statement( subject: [ new ResourceDescriptor( name: 'pkg:composer/k2gl/dsse@1.0.0', digest: ['sha256' => '…'], ), ], predicateType: 'https://slsa.dev/provenance/v1', predicate: ['buildDefinition' => [/* … */], 'runDetails' => [/* … */]], ); $envelope = $statement->sign($signer); // a K2gl\Dsse\Envelope echo $envelope->toJson(); ``` ### Verify and parse [](#verify-and-parse) ``` use K2gl\InToto\Statement; use K2gl\Dsse\Envelope; use K2gl\Dsse\Ed25519Verifier; $envelope = Envelope::fromJson($json); $envelope->verify($verifier); // DSSE signature check (throws on failure) $statement = Statement::fromEnvelope($envelope); $statement->predicateType; // 'https://slsa.dev/provenance/v1' $statement->subject[0]->digest; // ['sha256' => '…'] ``` `fromEnvelope()` checks the envelope's `payloadType` and decodes the payload — always verify the envelope's signatures (via `k2gl/dsse`) before trusting the result. ### Statement versions [](#statement-versions) Real-world Sigstore bundles carry in-toto Statements in two schema versions: the current `v1` and the legacy `v0.1` (often wrapping a SLSA Provenance `v0.2` predicate). `fromJson()`and `fromEnvelope()` parse both and expose which one was decoded: ``` use K2gl\InToto\StatementVersion; $statement = Statement::fromEnvelope($envelope); $statement->version === StatementVersion::V0_1; // true for a legacy bundle ``` New statements default to `v1`. To build a `v0.1` statement, pass the version explicitly: ``` $statement = new Statement( subject: [new ResourceDescriptor(name: 'app', digest: ['sha256' => '…'])], predicateType: 'https://slsa.dev/provenance/v0.2', predicate: [/* … */], version: StatementVersion::V0_1, ); ``` Scope ----- [](#scope) This package models the **Statement** layer (the generic envelope payload). Concrete predicate types — SLSA Provenance, SPDX/CycloneDX, etc. — are intentionally out of scope and can be carried as a typed array in `predicate`, or modelled by companion packages. License ------- [](#license) MIT — see [LICENSE](LICENSE). Independent, clean-room implementation of the in-toto Attestation specification (Apache-2.0). ### Health Score 43 — FairBetter than 89% of packages Maintenance98 Actively maintained with recent releases Popularity15 Limited adoption so far Community10 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~1 days Total 2 Last Release 9d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/6bc4aa529c7f13ea593297497f6eae20d5c07f476baa0a551960d7e6ff1e5413?d=identicon)[k2gl](/maintainers/k2gl) --- Top Contributors [![k2gl](https://avatars.githubusercontent.com/u/2846079?v=4)](https://github.com/k2gl "k2gl (5 commits)") --- Tags signingstatementattestationsupply-chainprovenancedssein-totosigstoreslsa ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/k2gl-in-toto-attestation/health.svg) ``` [![Health](https://phpackages.com/badges/k2gl-in-toto-attestation/health.svg)](https://phpackages.com/packages/k2gl-in-toto-attestation) ``` ### Alternatives [kunstmaan/utilities-bundle The KunstmaanUtilitiesBundle makes your life easier by providing a couple of small but usefull helper services you can use and re-use in your applications. We already implemented an easy to use cipher service and a shell helper service for you but feel free to send in a pull request with your additions. The shell helper allows you to run apps in the background, see if a process is running and has a method to kill a running process. The cipher service allow you to encode and decode strings using the Rijndael 256 cipher 12152.1k6](/packages/kunstmaan-utilities-bundle)[risan/sentiment-analysis Sentiment analysis library for PHP. 203.5k](/packages/risan-sentiment-analysis) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)