Added link to in-toto statements and envelope specification

Signed-off-by: Fredrik Skogman <[email protected]>
sigstore · Jan 9, 2025 · 5f40656 · 5f40656
1 parent 1ea9e4b
commit 5f40656
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/client-spec.md b/client-spec.md
@@ -231,7 +231,9 @@ The Verifier now constructs the payload to be signed from the artifact and the a
 
 * Using the raw bytes of the artifact as the payload.
 * Hashing the artifact, then using the resultant digest as the payload.
-* Using [DSSE](https://github.com/secure-systems-lab/dsse/blob/master/protocol.md) as an envelope for the payload which MUST be an in-toto statement.
+* Using [DSSE](https://github.com/secure-systems-lab/dsse/blob/master/protocol.md) as an envelope for the payload.
+    * The DSSE `payloadType` must be `application/vnd.in-toto+json` per the [in-toto Envelope layer specification](https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md).
+    * The payload MUST be an [in-toto statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md).
     * Verifier MUST ensure that the artifact's digest/algorithm tuple is present in the list of subjects in the in-toto statement.
     * Verifier SHOULD accept the raw artifact and compute the message digest to minimize any risk for confusion attacks.