Skip to main content

DSSE (Dead Simple Signing Envelope)

DSSE is a standard signing envelope that binds a payload to its type and signature, widely used for attestations and SBOMs.

The Dead Simple Signing Envelope (DSSE) is a small, standard format for signing arbitrary data. It carries the payload, a declared payload type, and one or more signatures, and it signs a canonical encoding that includes the payload type — so a signature can't be replayed against a different kind of content.

How It Works

DSSE defines a Pre-Authentication Encoding (PAE): the signer signs the payload type and the payload together, length-prefixed, rather than the raw bytes alone. This binding means the type and content are verified as one unit. The envelope holds the base64 payload, its type (for example, an in-toto Statement), and the signatures.

DSSE is the envelope of choice for in-toto attestations and is what tools like cosign use to sign SBOMs and build provenance. Verification reconstructs the PAE, checks the signature against the expected key or identity, and only then trusts the payload inside.

Why It Matters

Signing is easy to get subtly wrong — signing the wrong bytes, or a signature that verifies against unintended content. DSSE gives the ecosystem one simple, reviewed envelope so attestations and SBOMs from different tools interoperate and verify consistently.

Related Terms

DSSE wraps attestations that carry provenance and SBOM claims, and is part of the tooling for supply-chain security.