PHPackages                             k2gl/signed-note - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. k2gl/signed-note

ActiveLibrary[Security](/categories/security)

k2gl/signed-note
================

Parse, verify and sign signed notes — the transparency-log / Go sumdb format used by Sigstore Rekor checkpoints — in PHP.

1.0.0(today)00MITPHPPHP &gt;=8.1CI passing

Since Jul 1Pushed todayCompare

[ Source](https://github.com/k2gl/signed-note)[ Packagist](https://packagist.org/packages/k2gl/signed-note)[ Docs](https://github.com/k2gl/signed-note)[ RSS](/packages/k2gl-signed-note/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (5)Versions (2)Used By (0)

k2gl/signed-note
================

[](#k2glsigned-note)

[![CI](https://camo.githubusercontent.com/eccf277761106529ceb18f90b1ee1fbd224aeb20673c891a0c62d1cf495953a9/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6b32676c2f7369676e65642d6e6f74652f63692e796d6c3f6272616e63683d6d61696e266c6162656c3d4349266c6f676f3d676974687562)](https://github.com/k2gl/signed-note/actions/workflows/ci.yml)[![Latest Stable Version](https://camo.githubusercontent.com/835854617378c9d993b847a26cc1ebd4ff396f3c1a75ac043d9ab588ad7df35d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6b32676c2f7369676e65642d6e6f74653f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/signed-note)[![Total Downloads](https://camo.githubusercontent.com/68d124ed3611a4d2e35a6ec597c9426d48ee06a6ea5d2e471ceeb96f2e0d9051/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6b32676c2f7369676e65642d6e6f74653f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/signed-note)[![PHPStan Level](https://camo.githubusercontent.com/01c58e66f2fafb70c17613ff2b1da3f549aade3a735b076da5cd9e5c04b945a5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d3261356561373f6c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://phpstan.org)[![License](https://camo.githubusercontent.com/43c8ebe268413e8d045ed999c14cdae4fb001c52034cd4755359b342d69f0529/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6b32676c2f7369676e65642d6e6f74653f636f6c6f723d79656c6c6f77677265656e)](https://packagist.org/packages/k2gl/signed-note)

Parse, verify and sign **signed notes** in PHP — the format Go's sumdb and transparency-log **checkpoints** (Sigstore Rekor) use. A note is some text, a blank line, then one or more signature lines:

```
If you think cryptography is the answer to your problem,
then you don't know what your problem is.

— PeterNeumann x08go/ZJkuBS9UG/SffcvIAQxVBtiFupLLr8pAcElZInNIuGUgYN1FFYC2pZSNXgKvqfqdngotpRZb6KE6RyyBwJnAM=

```

Each signature line is `—  `, where the base64 decodes to a 4-byte key hash and the raw signature over the text. The cryptography is delegated to \[`k2gl/dsse`\].

Install
-------

[](#install)

```
composer require k2gl/signed-note
```

Requires PHP 8.1+ with `ext-sodium` (Ed25519); `ext-openssl` is needed only for ECDSA-signed notes such as Rekor v1 checkpoints.

Verify
------

[](#verify)

Give a `NoteVerifier` the keys you trust; it returns the signatures that verify and throws if none do.

```
use K2gl\SignedNote\Note;
use K2gl\SignedNote\NoteVerifier;
use K2gl\SignedNote\VerifierKey;

$key = VerifierKey::fromString('PeterNeumann+c74f20a3+ARpc2QcUPDhMQegwxbzhKqiBfsVkmqq/LDE4izWy10TW');

$verified = (new NoteVerifier($key))->verify(Note::parse($envelope));
// $verified is the list of NoteSignature that checked out; SignatureVerificationFailed otherwise.
```

A Rekor checkpoint is a note signed by the log's key. Load that key from its PEM — the key hash is derived the Sigstore way (first four bytes of SHA-256 of the DER key), and any RSA/ECDSA/Ed25519 key works:

```
$log = VerifierKey::fromPem('rekor.sigstore.dev - 1193050959916656506', $logPublicKeyPem);
(new NoteVerifier($log))->verify(Note::parse($checkpoint));
```

Sign
----

[](#sign)

```
use K2gl\SignedNote\SignerKey;

$signer = SignerKey::fromString('PRIVATE+KEY+PeterNeumann+c74f20a3+AYEKFALVFGyNhPJEMzD1QIDr+Y7hfZx09iUvxdXHKDFz');

$note = $signer->sign("hello\n"); // text must end with a newline
echo $note;                       // renders the note with its signature line
```

The output is byte-for-byte what Go's `note.Sign` produces (checked against the `golang.org/x/mod/sumdb/note` test vectors).

Design
------

[](#design)

- **Format only.** `Note` is the generic note; it does not interpret checkpoint fields (origin, tree size, root hash). Parse those from `signedText()` yourself.
- **Fail-closed.** A verified result means a trusted key signed the exact text.
- **Ed25519 is the standard.** `VerifierKey::fromString()` / `SignerKey` handle the Ed25519 key strings from Go's `note` package; `fromPem()` covers ECDSA/RSA logs.

License
-------

[](#license)

MIT.

###  Health Score

39

—

LowBetter than 85% of packages

Maintenance100

Actively maintained with recent releases

Popularity0

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity42

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

0d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/6bc4aa529c7f13ea593297497f6eae20d5c07f476baa0a551960d7e6ff1e5413?d=identicon)[k2gl](/maintainers/k2gl)

---

Top Contributors

[![k2gl](https://avatars.githubusercontent.com/u/2846079?v=4)](https://github.com/k2gl "k2gl (2 commits)")

---

Tags

signingEd25519checkpointsupply-chainnotesigstorerekortransparency-logsigned-notesumdb

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StyleLaravel Pint

Type Coverage Yes

### Embed Badge

![Health badge](/badges/k2gl-signed-note/health.svg)

```
[![Health](https://phpackages.com/badges/k2gl-signed-note/health.svg)](https://phpackages.com/packages/k2gl-signed-note)
```

###  Alternatives

[phpseclib/phpseclib

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

5.6k465.6M1.5k](/packages/phpseclib-phpseclib)[paragonie/certainty

Up-to-date, verifiable repository for Certificate Authorities

2662.6M22](/packages/paragonie-certainty)[simplito/elliptic-php

Fast elliptic curve cryptography

2302.4M267](/packages/simplito-elliptic-php)[br/signed-request-bundle

Symfony2 Bundle that provides request and response signing

161.7k](/packages/br-signed-request-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
