Verify attestation of extension before install

[macintoshplus]

As part of securing our software supply chain, we are integrating the PIE (PHP Installer for Extensions) tool to manage our dependencies.

To guarantee the integrity and provenance of extensions on Windows environments, we want to move beyond relying solely on the download channel and instead validate each artifact via Cosign (Sigstore).

How can we best integrate this verification before PIE installs the extension?

[asgrim]

Definitely something we'd like to tackle (for all environments, not just Windows) 👍

[macintoshplus]

Thank you for your interest in this question.

For Windows, I think it's the DLL archives that can be verified.

What artifacts would be checked for systems other than Windows?

ZIP or TAR.GZ archives are not verifiable, even with immutable versions.

https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/verifying-the-integrity-of-a-release

[asgrim]

Releases have attestations (see the link you provided) 👍

[macintoshplus]

Okay. The publication certificate indirectly verifies the integrity of the source code tar or zip archive.

Composer could also perform this dependency check.

Do you want to perform this verification using the ThePHPF/attestation library?

[asgrim]

Okay. The publication certificate indirectly verifies the integrity of the source code tar or zip archive.

Composer could also perform this dependency check.

Yep; it's something I think the Composer team were/are looking into, so I will reach out to them

Do you want to perform this verification using the ThePHPF/attestation library?

Most likely; that's the primary driver for splitting that particular part of PIE out.