Composer - Digital Signatures

Welcome, you are most likely here because either you found this page on your own, or one of the users of your package sent you here. Help keep the PHP eco-system secure and free of code injection by including digital signatures with every release.

The Apex Signer makes this as painless as possible. It's absolutely free, will only take 5 minutes to setup and an additional 10 seconds per-release. In return, the users of your package can have the confidence in knowing every line of code within your package has been authorized by you without worry of outside code injection.

Getting Setup

It's as simple as can be. First, install the Apex Signer with:

    composer require --dev apex/signer

Next, initialize the signer with the command:

    vendor/bin/signer init

This will generate a new 4096 bit RSA key for you, and also ask whether or not you wish to publish your releases to the public Apex Ledger or keep release signatures offline. It is recommended to publish your release signatures to the public ledger for greater security as your signatures will be verified against the signing certificate within the ledger, but the choice is yours, and whatever suits you best.

Once initialized, continue developing as normal. Just before you are about to commit and push a new release, run the command:

    vendor/bin/signer sign VERSION

Replace VERSION with the version number that you will be tagging the git repo with. Then simply ensure to include the signatures.json file with your commit:

    git add signatures.json

That's it, and all there is to it. Push the commit as normal, tag the release with the same version number you signed it with, and your users will have full confidence with your package knowing that every line of code has been authorized by you and no code injection has occurred.

If you have any questions or hesitations, please don't hesitate to post on the /r/apexpl sub Reddit for a prompt and helpful response.