Evidence Envelope

The outer layer of an evidence file is a DSSE envelope, as shown below. It consists of the payload (containing the predicate and optional markdown) encoded with Base64-encoding that is signed with a private key. It is this signature that makes the evidence verifiable (using the public key) and tamper-proof.

{
    "payload": "{base64(serialized-Payload)}",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
        {
            "keyid": "{key-id}",
            "sig": "{base64(signature)}"
        }
    ],
    "attachments": [
        {
            "repository": "{attachment-repository}",
            "path": "{attachment-path}",
            "sha256": "{attachment-sha256}"
        }
    ]
}

The envelope is comprised of the following elements:

Property	Description
`payload`	Contains a Base64-encoded JSON, as described in Evidence Payload.
`payloadType`	The payload type for JFrog evidence is `application/vnd.in-toto+json`.
`signatures`	The key used to sign the evidence. The array includes the following mandatory elements: `keyid`: Signing key name `sig`: The signature, as calculated by the DSSE protocol
`attachments`	An optional, unstructured file attached to the evidence. The array includes the following elements: `repository`: Attachment repository `path`: Attachment path `sha256`: Attachment checksum (optional)

Updated 3 days ago