k2gl / rekor-client
A PSR-18 client for the Rekor v2 transparency log — submit entries and read checkpoints in PHP.
Requires
- php: >=8.1
- ext-json: *
- k2gl/sigstore-bundle: ^1.0
- psr/http-client: ^1.0
- psr/http-factory: ^1.0
- psr/http-message: ^1.1|^2.0
Requires (Dev)
- k2gl/phpunit-fluent-assertions: ^12
- laravel/pint: ~1.20.0
- nyholm/psr7: ^1.8
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^10|^11|^12
This package is auto-updated.
Last update: 2026-07-04 11:08:10 UTC
README
Submit entries to a Rekor v2 (rekor-tiles)
transparency log from PHP and get back the transparency-log entry Rekor integrated —
the same value k2gl/sigstore-bundle takes,
so a signer goes submit → add to bundle with no glue in between.
Transport is any PSR-18 HTTP client you supply (Guzzle, Symfony HttpClient, …). This package speaks the Rekor API; it owns no socket.
Requirements
- PHP 8.1+
- A PSR-18 HTTP client and a PSR-17 factory (e.g.
nyholm/psr7+symfony/http-client) k2gl/sigstore-bundle
Installation
composer require k2gl/rekor-client
Usage
use K2gl\RekorClient\RekorClient; use K2gl\RekorClient\Verifier; use K2gl\RekorClient\KeyDetails; $rekor = new RekorClient( httpClient: $psr18Client, requestFactory: $psr17Factory, streamFactory: $psr17Factory, baseUrl: 'https://rekor.sigstore.dev', // the v2 log URL from your signing config ); // A hashedrekord entry: the artifact digest, the signature, and the key or // certificate that signed it. $entry = $rekor->submitHashedRekord( digest: $artifactSha256, // raw 32-byte digest signature: $rawSignature, verifier: Verifier::certificate($fulcioLeafDer, KeyDetails::PKIX_ECDSA_P256_SHA_256), ); // $entry is a K2gl\SigstoreBundle\TransparencyLogEntry — drop it straight in: $json = BundleBuilder::forMessageSignature($messageSignature) ->withCertificate($fulcioLeafDer) ->addTransparencyLogEntry($entry) ->toJson();
DSSE attestations
Rekor v2 has no DSSE entry type. Submit the DSSE PAE digest and the envelope signature as a hashedrekord — the entry Rekor returns is the one a DSSE bundle carries.
Signing identity
Verifier::publicKey($der, $keyDetails)— a bare public key.Verifier::certificate($der, $keyDetails)— a Fulcio (keyless) certificate.
KeyDetails names the algorithm (PKIX_ECDSA_P256_SHA_256, PKIX_ED25519, …).
Errors
Everything thrown implements K2gl\RekorClient\Exception\RekorClientException:
RekorRequestException (transport failed / request could not be built),
RekorResponseException (Rekor answered with an error status or an unparseable body,
with the HTTP statusCode), and InvalidArgumentException (bad input).
Scope
This release covers submission (the write path a signer needs) against Rekor v2.
Reading back entries and tiles (the C2SP tlog-tiles read API) is not implemented yet;
verifying an entry already in a bundle is what
k2gl/sigstore-verify does.