What is DSSE (Dead Simple Signing Envelope)?

Updated Apr 24, 2026

An envelope format for signing arbitrary payloads. Used by in-toto + Sigstore for supply-chain attestations. Securie uses DSSE for every signed finding + patch + audit bundle.

Full explanation

DSSE wraps a JSON payload (the in-toto v1 statement) + signature(s) + payload type. The signed envelope is verifiable with cosign verify-blob. Securie's attestation crate produces DSSE envelopes for findings (FindingVerdictPredicate), patches (PatchProposedPredicate + FixConfirmedPredicate), SBOMs (SbomAttestedPredicate), AIBOMs (AibomAttestedPredicate).

Example

Securie scans PR #184; finds + sandbox-verifies a BOLA on /api/orders/[id]; patches it. Each step ships a DSSE-signed in-toto envelope. Auditor downloads /api/auditor/bundle/<sha> and verifies the chain with cosign.

FAQ

Why DSSE vs raw signature?

DSSE specifies the payload-type field, preventing cross-protocol confusion attacks.