Separate PIE's attestation verification into a new PHP Foundation library #367
Description
With the help of @TimWolla we wrote in PR #205 a basic PHP implementation (using ext-openssl) of gh attestation as a fallback if PIE users do not have gh CLI tool.
It was suggested that this functionality be split out into a separate library, as the Composer team (@naderman and @glaubinix) would find this very useful too, and the wider open source PHP ecosystem can benefit too - I also saw a mention on the Laminas slack about this being useful.
The plan would be to more or less take https://github.com/php/pie/blob/main/src/SelfManage/Verify/FallbackVerificationUsingOpenSsl.php and split it into a separate library (hosted on ThePHPF repo), which is then consumed by PIE (and others).
Composer team have asked for 1) PHP support for versions that Composer supports (currently min 7.2, maybe min 8.2 composer/composer#12177), and 2) open to contributions for missing functionality. Both these requests seem very reasonable.
A discussion on the PHP Foundation #pie channel thread was productive and well received, and I feel this would be beneficial to the Foundation's goals. Additionally, having this important component independently vetted and used at "Composer scale" will help ensure the stability of this component. Initial estimate of ~1d to set up new repo, move code over, get pipelines running etc, after that PHP Foundation would provide ongoing support for the repo maintenance.