Evidence Envelope

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide

The outer layer of an evidence file is a DSSE envelope, as shown below. It consists of the payload (containing the predicate and optional markdown) encrypted with Base64-encoding that is signed with a private key. It is this signature that makes the evidence verifiable (using the public key) and tamper-proof.

{
    "payload": "{base64(serialized-Payload)}",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
        {
            "keyid": "{key-id}",
            "sig": "{base64(signature)}"
        }
    ]
}

The envelope is comprised of the following elements:

Property

Description

payload

Contains a Base64-encoded JSON, as described in Evidence Payload.

payloadType

The payload type for JFrog evidence is application/vnd.in-toto+json.

signatures

The key used to sign the evidence. The array includes the following mandatory elements:

  • keyid: Signing key name

  • sig: The signature, as calculated by the DSSE protocol