Skip to content

feat: add DSSE, in-toto v1, and SLSA v1.0 standard formats #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
avrabe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add DSSE, in-toto v1, and SLSA v1.0 standard formats #35

avrabe wants to merge 1 commit into from
+1,607 −0

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 17, 2026

Summary

Implements industry-standard attestation formats for embedded signatures, addressing the gap identified in the codebase assessment.

What Changed

  • DSSE envelope (src/lib/src/dsse.rs): Standard signing envelope format

    • Ed25519 signing and verification
    • Multi-signature support
    • JSON serialization compatible with cosign/sigstore-rs

  • in-toto Statement v1.0 (src/lib/src/intoto.rs): Attestation framework

    • Statement, Subject, DigestSet types
    • ResourceDescriptor for dependency tracking
    • Standard predicate type constants

  • SLSA Provenance v1.0 (src/lib/src/slsa.rs): Supply chain provenance

    • BuildDefinition with externalParameters/resolvedDependencies
    • RunDetails with builder identity and metadata
    • SlsaLevel enum (L0-L3)

New Composition Functions

// Embed signed SLSA provenance in DSSE format
embed_slsa_provenance(module, &provenance, &signer)?;

// Embed transformation attestation in DSSE
embed_transformation_dsse(module, &attestation, &signer)?;

// Extract for external tooling
let envelope = extract_dsse_attestation(&module)?;
// envelope is standard DSSE JSON - works with any DSSE tool

Benefits

Before After
Custom JSON formats Standard DSSE envelope
wsc-only parsing Compatible with cosign, sigstore-rs
Separate section per type Single wsc.attestation section
No SLSA format SLSA v1.0 provenance ready

Extraction Example

# Extract attestation from WASM (future CLI command)
wasm-tools print module.wasm --custom wsc.attestation > attestation.json

# attestation.json is valid DSSE - verify with any tool
cosign verify-blob --bundle attestation.json ...

Test plan

  • All 548 existing tests pass
  • New DSSE tests (sign, verify, roundtrip, multi-sig)
  • New in-toto tests (statement serialization, subject creation)
  • New SLSA tests (provenance building, level comparison)
  • CI validation

@avrabe @claude
feat: add DSSE, in-toto v1, and SLSA v1.0 standard formats
8a421e0 
Implements industry-standard attestation formats for embedded signatures:

- DSSE (Dead Simple Signing Envelope): Standard envelope format that
  enables extraction with any DSSE-compatible tool (cosign, sigstore-rs)
- in-toto Statement v1.0: Standard attestation framework binding
  predicates to artifact subjects
- SLSA Provenance v1.0: Standard supply chain provenance format for
  compliance with SLSA Build levels

New modules:
- src/lib/src/dsse.rs: DSSE envelope with Ed25519 signing/verification
- src/lib/src/intoto.rs: in-toto Statement, Subject, DigestSet types
- src/lib/src/slsa.rs: SLSA Provenance, BuildDefinition, RunDetails

New composition functions:
- embed_slsa_provenance(): Embed signed SLSA provenance in DSSE format
- embed_transformation_dsse(): Embed transformation attestation in DSSE
- extract_dsse_attestation(): Extract raw DSSE envelope
- extract_slsa_provenance(): Extract and verify SLSA provenance
- extract_transformation_from_dsse(): Extract transformation attestation

Benefits:
- Attestations can be extracted as standalone files
- Compatible with standard Sigstore/in-toto tooling
- Enables SLSA compliance verification
- Single "wsc.attestation" section with standard format

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avrabe