When external evidence is deployed to Artifactory, the evidence file is parsed and validated according to the following sequence:
Validates the token used to authenticate the user invoking the Deploy Evidence API
Parses and validates the DSSE evidence envelope
Decodes the Base64 payload inside the DSSE envelope
Verifies the signature
Parses and validates the evidence payload
Validates the repository type of the evidence subject (must be local or Federated)
Validates the existence of the evidence subject in the specified path in Artifactory
Resolves the subject from Artifactory using its full repository path
Verifies the subject's digest (if the sha256 is provided in the request)