DSSE Explained

"DSSE Explained: Standard Envelopes for Signing Provenance and Attestations"
Modern software supply chains increasingly depend on signed metadata, yet teams still struggle with a deceptively simple question: what exactly is being signed, and how do we verify it safely? This book is for experienced engineers, security practitioners, and tool builders who need a rigorous, implementation-ready understanding of DSSE and its role in attestations—without hand-waving over byte-level details, parsing hazards, or real ecosystem constraints.
You’ll learn how DSSE’s Pre-Authentication Encoding (PAE) produces unambiguous signed bytes, why `payloadType` must be treated as authenticated context to prevent confusion attacks, and how to design verifiers that follow “verify-before-parse” to avoid canonicalization traps. The book then connects those envelope semantics to in-toto Statement v1—subjects, digests, and `predicateType`—and finally to SLSA Provenance v1 as a concrete predicate you can evaluate with policy. Along the way, it covers multi-signature and threshold models, defensive JSON envelope parsing, safe handling of `keyid` hints, and compatibility milestones that affect production systems.
Practical Sigstore and Cosign workflows anchor the specifications in reality: bundles for offline verification, migration pitfalls, and a systematic debugging playbook that isolates failures across envelope, statement, and predicate layers. Readers should be comfortable with public-key signatures, hashing, and CI/CD realities; the differentiator here is precision—protocol semantics and engin