k2gl/rekor-client

A PSR-18 client for the Rekor v2 transparency log — submit entries and read checkpoints in PHP.

Maintainers

Package info

github.com/k2gl/rekor-client

pkg:composer/k2gl/rekor-client

Transparency log

Statistics

Installs: 185

Dependents: 1

Suggesters: 0

Stars: 0

Open Issues: 0

1.0.0 2026-07-04 06:43 UTC

This package is auto-updated.

Last update: 2026-07-04 11:08:10 UTC


README

CI Latest Stable Version PHPStan Level License

Submit entries to a Rekor v2 (rekor-tiles) transparency log from PHP and get back the transparency-log entry Rekor integrated — the same value k2gl/sigstore-bundle takes, so a signer goes submit → add to bundle with no glue in between.

Transport is any PSR-18 HTTP client you supply (Guzzle, Symfony HttpClient, …). This package speaks the Rekor API; it owns no socket.

Requirements

  • PHP 8.1+
  • A PSR-18 HTTP client and a PSR-17 factory (e.g. nyholm/psr7 + symfony/http-client)
  • k2gl/sigstore-bundle

Installation

composer require k2gl/rekor-client

Usage

use K2gl\RekorClient\RekorClient;
use K2gl\RekorClient\Verifier;
use K2gl\RekorClient\KeyDetails;

$rekor = new RekorClient(
    httpClient:     $psr18Client,
    requestFactory: $psr17Factory,
    streamFactory:  $psr17Factory,
    baseUrl:        'https://rekor.sigstore.dev', // the v2 log URL from your signing config
);

// A hashedrekord entry: the artifact digest, the signature, and the key or
// certificate that signed it.
$entry = $rekor->submitHashedRekord(
    digest:    $artifactSha256,        // raw 32-byte digest
    signature: $rawSignature,
    verifier:  Verifier::certificate($fulcioLeafDer, KeyDetails::PKIX_ECDSA_P256_SHA_256),
);

// $entry is a K2gl\SigstoreBundle\TransparencyLogEntry — drop it straight in:
$json = BundleBuilder::forMessageSignature($messageSignature)
    ->withCertificate($fulcioLeafDer)
    ->addTransparencyLogEntry($entry)
    ->toJson();

DSSE attestations

Rekor v2 has no DSSE entry type. Submit the DSSE PAE digest and the envelope signature as a hashedrekord — the entry Rekor returns is the one a DSSE bundle carries.

Signing identity

  • Verifier::publicKey($der, $keyDetails) — a bare public key.
  • Verifier::certificate($der, $keyDetails) — a Fulcio (keyless) certificate.

KeyDetails names the algorithm (PKIX_ECDSA_P256_SHA_256, PKIX_ED25519, …).

Errors

Everything thrown implements K2gl\RekorClient\Exception\RekorClientException: RekorRequestException (transport failed / request could not be built), RekorResponseException (Rekor answered with an error status or an unparseable body, with the HTTP statusCode), and InvalidArgumentException (bad input).

Scope

This release covers submission (the write path a signer needs) against Rekor v2. Reading back entries and tiles (the C2SP tlog-tiles read API) is not implemented yet; verifying an entry already in a bundle is what k2gl/sigstore-verify does.

Pull requests are always welcome

Collaborate with pull requests