k2gl/signed-note
Composer 安装命令:
composer require k2gl/signed-note
包简介
Parse, verify and sign signed notes — the transparency-log / Go sumdb format used by Sigstore Rekor checkpoints — in PHP.
关键字:
README 文档
README
Parse, verify and sign signed notes in PHP — the format Go's sumdb and transparency-log checkpoints (Sigstore Rekor) use. A note is some text, a blank line, then one or more signature lines:
If you think cryptography is the answer to your problem,
then you don't know what your problem is.
— PeterNeumann x08go/ZJkuBS9UG/SffcvIAQxVBtiFupLLr8pAcElZInNIuGUgYN1FFYC2pZSNXgKvqfqdngotpRZb6KE6RyyBwJnAM=
Each signature line is — <name> <base64>, where the base64 decodes to a 4-byte
key hash and the raw signature over the text. The cryptography is delegated to
[k2gl/dsse].
Install
composer require k2gl/signed-note
Requires PHP 8.1+ with ext-sodium (Ed25519); ext-openssl is needed only for
ECDSA-signed notes such as Rekor v1 checkpoints.
Verify
Give a NoteVerifier the keys you trust; it returns the signatures that verify
and throws if none do.
use K2gl\SignedNote\Note; use K2gl\SignedNote\NoteVerifier; use K2gl\SignedNote\VerifierKey; $key = VerifierKey::fromString('PeterNeumann+c74f20a3+ARpc2QcUPDhMQegwxbzhKqiBfsVkmqq/LDE4izWy10TW'); $verified = (new NoteVerifier($key))->verify(Note::parse($envelope)); // $verified is the list of NoteSignature that checked out; SignatureVerificationFailed otherwise.
A Rekor checkpoint is a note signed by the log's key. Load that key from its PEM — the key hash is derived the Sigstore way (first four bytes of SHA-256 of the DER key), and any RSA/ECDSA/Ed25519 key works:
$log = VerifierKey::fromPem('rekor.sigstore.dev - 1193050959916656506', $logPublicKeyPem); (new NoteVerifier($log))->verify(Note::parse($checkpoint));
Sign
use K2gl\SignedNote\SignerKey; $signer = SignerKey::fromString('PRIVATE+KEY+PeterNeumann+c74f20a3+AYEKFALVFGyNhPJEMzD1QIDr+Y7hfZx09iUvxdXHKDFz'); $note = $signer->sign("hello\n"); // text must end with a newline echo $note; // renders the note with its signature line
The output is byte-for-byte what Go's note.Sign produces (checked against the
golang.org/x/mod/sumdb/note test vectors).
Design
- Format only.
Noteis the generic note; it does not interpret checkpoint fields (origin, tree size, root hash). Parse those fromsignedText()yourself. - Fail-closed. A verified result means a trusted key signed the exact text.
- Ed25519 is the standard.
VerifierKey::fromString()/SignerKeyhandle the Ed25519 key strings from Go'snotepackage;fromPem()covers ECDSA/RSA logs.
License
MIT.
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 3
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-07-01