PHPackages                             roave/composer-gpg-verify - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. roave/composer-gpg-verify

AbandonedArchivedComposer-plugin[Security](/categories/security)

roave/composer-gpg-verify
=========================

Composer plugin that verifies GPG signatures of downloaded dependencies, enforcing trusted GIT tags

1.0.0(9y ago)3983[1 issues](https://github.com/Roave/composer-gpg-verify/issues)[1 PRs](https://github.com/Roave/composer-gpg-verify/pulls)MITPHPPHP ^7.1.4

Since Jun 8Pushed 3y ago3 watchersCompare

[ Source](https://github.com/Roave/composer-gpg-verify)[ Packagist](https://packagist.org/packages/roave/composer-gpg-verify)[ RSS](/packages/roave-composer-gpg-verify/feed)WikiDiscussions master Synced 2d ago

READMEChangelogDependencies (7)Versions (3)Used By (0)

Composer GPG signature verification plugin
------------------------------------------

[](#composer-gpg-signature-verification-plugin)

[![Packagist](https://camo.githubusercontent.com/5f83fd7778902236a0174c3cfc09a5a418e06e607288d386e6706b0921761b18/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f726f6176652f636f6d706f7365722d6770672d7665726966792e737667)](https://packagist.org/packages/roave/composer-gpg-verify)[![Build Status](https://camo.githubusercontent.com/e33efaf99cba76aa12acdd333659b166e694ceabbe748d11a017aebaf0ba44bc/68747470733a2f2f7472617669732d63692e6f72672f526f6176652f636f6d706f7365722d6770672d7665726966792e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/Roave/composer-gpg-verify)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/fbaa320dd2a2a4f5920a3a40b3fde9f694d994b62acb199c8fdca8c9059d8190/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f526f6176652f636f6d706f7365722d6770672d7665726966792f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/Roave/composer-gpg-verify/?branch=master)[![Code Coverage](https://camo.githubusercontent.com/510722488e72e82ebb2f825e81bcb7bc460ba12be0d03589830fff2926ed4799/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f526f6176652f636f6d706f7365722d6770672d7665726966792f6261646765732f636f7665726167652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/Roave/composer-gpg-verify/?branch=master)

This package provides pluggable composer tag signature verification.

Specifically, all this package does is stop the installation process when an un-trusted package is encountered.

The aim of this package is to be a first reference implementation to be later used in composer itself to enforce good dependency checking hygiene.

Usage
-----

[](#usage)

This package provides no usable public API, but will only act during the composer installation setup:

```
composer require roave/composer-gpg-verify --prefer-source
```

Please note that the above may already fail if you have un-trusted dependencies. In order to skip the checks provided by this package, use the `--no-scripts` flag if you didn't yet figure out your un-trusted dependencies:

```
composer require roave/composer-gpg-verify --prefer-source --no-scripts
```

Trusted dependencies
--------------------

[](#trusted-dependencies)

This package extensively uses [`GPG`](https://www.gnupg.org/) to validate that all downloaded dependencies have a good and trusted GIT tag or commit signature.

At this moment, the package will just use your local GPG trust database to determine which signatures are to be trusted or not, and will not mess with it other than reading from it.

In practice, this means that:

- every package you install must be a `git` repository (use `--prefer-source`)
- the `HEAD` (current state) of each repository must be either a signed tag or a signed commit
- you must have a local copy of the public key corresponding to each tag/commit signature
- you must either have explicitly trusted, locally signed or signed each of the involved public keys

While this must sound like a useless complication to most users, as they just trust packagist to provide "good" dependencies, these may have been forged by an attacker that stole information from your favorite maintainers.

Good dependency hygiene is extremely important, and this package encourages maintainers to always sign their releases, and users to always check them.

Trusting someone's work
-----------------------

[](#trusting-someones-work)

Assuming that you downloaded a signed package, you will likely get the following failure during the first installation:

```
composer require some-vendor/some-package --prefer-source
# ... lots of lines here ...
The following packages need to be signed and verified, or added to exclusions:

some-vendor/some-package
[SIGNED] [NOT VERIFIED] Commit #4b825dc642cb6eb9a060e54bf8d69288fbee4904 (Key AABBCCDDEEFF1122)
Command: git verify-commit --verbose HEAD
Exit code: 1
Output: tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
author Mr. Maintainer  1495040303 +0200
committer Mr. Maintainer  1495040303 +0200

signed commit
gpg: Signature made Mi 17 Mai 2017 18:58:23 CEST
gpg:                using RSA key AABBCCDDEEFF1122
gpg: Can't check signature: No public key
... more lines ...

```

This means that `some-vendor/some-package` is not trusted.

That `AABBCCDDEEFF1122` is the key you are missing. Let's download it:

```
gpg --recv-keys AABBCCDDEEFF1122

```

Now the key is in your local DB, but it isn't yet trusted.

**IMPORTANT**: do not blindly trust or sign other people's GPG keys - only do so if you effectively know that the key is provided by them, and you know them at least marginally. Usually, contacting the key author is the best way to check authenticity.

To trust a key, you can edit it:

```
gpg --edit-key AABBCCDDEEFF1122
...

gpg> trust

...

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 3

gpg> save

```

Alternatively, if you want to sign the gpg key, you can create a local signature:

```
gpg --lsign-key AABBCCDDEEFF1122
```

If you *really* trust a key, you can create a generic signature that may be uploaded:

```
gpg --sign-key AABBCCDDEEFF1122
```

Once you did any of the above (signing or trusting), then you may resume your composer installation or upgrade process.

Examples
--------

[](#examples)

Please refer to the [examples](examples) directory for running examples in your system. All examples are designed in a way that will leave your current GPG settings untouched.

Limitations
-----------

[](#limitations)

This package still has few serious limitations:

- it needs `gpg` `2.x` to run - this means that you should probably be on Ubuntu 16.04 or equivalent.
- it needs `gpg` `2.x`
- it can only verify signatures of downloaded GIT repositories: any non-git packages will cause the validation to fail

These limitations will eventually be softened as development of further versions of the library continues.

###  Health Score

29

—

LowBetter than 57% of packages

Maintenance19

Infrequent updates — may be unmaintained

Popularity16

Limited adoption so far

Community12

Small or concentrated contributor base

Maturity59

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 99.5% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

3309d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/fd0445bc21fa116c259b5889377b90cbd8a34d49357321f76a74f6d2c2ae6b0c?d=identicon)[Ocramius](/maintainers/Ocramius)

---

Top Contributors

[![Ocramius](https://avatars.githubusercontent.com/u/154256?v=4)](https://github.com/Ocramius "Ocramius (188 commits)")[![asgrim](https://avatars.githubusercontent.com/u/496145?v=4)](https://github.com/asgrim "asgrim (1 commits)")

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP\_CodeSniffer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/roave-composer-gpg-verify/health.svg)

```
[![Health](https://phpackages.com/badges/roave-composer-gpg-verify/health.svg)](https://phpackages.com/packages/roave-composer-gpg-verify)
```

###  Alternatives

[symfony/runtime

Enables decoupling PHP applications from global state

74798.8M955](/packages/symfony-runtime)[drupal/core-vendor-hardening

Hardens the vendor directory for when it's in the docroot.

174.9M42](/packages/drupal-core-vendor-hardening)[drupal/core-composer-scaffold

A flexible Composer project scaffold builder.

5344.1M531](/packages/drupal-core-composer-scaffold)[drupal/core-project-message

Adds a message after Composer installation.

2124.0M195](/packages/drupal-core-project-message)[drupal-composer/drupal-paranoia

Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot.

662.2M3](/packages/drupal-composer-drupal-paranoia)[phpro/grumphp-shim

GrumPHP Phar distribution

294.7M335](/packages/phpro-grumphp-shim)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
