Attestations: DSSE over in-toto
Every decision dpndncY makes is emitted as a DSSE envelope wrapping an in-toto v1 Statement. The Statement names the subject (what the decision is about), a predicateType (which kind of decision), and a predicate (the evidence). The envelope is signed, so the decision is tamper-evident and verifiable offline with one public key.
The three predicate types
| predicateType | Emitted | Payload |
|---|---|---|
https://dpndncy.io/scan/v1 | per scan | Findings + the signal stack that produced each. |
https://dpndncy.io/firewall/v1 | per allow / block / bypass | The install evaluated, the verdict, and the rule that decided it. |
https://dpndncy.io/agent/runtime-trace/v1 | per CI job | Captured events summary + the SHA-256 of the full event log. |
Envelope shape
{
"payloadType": "application/vnd.in-toto+json",
"payload": "<base64url in-toto Statement>",
"signatures": [
{ "keyid": "sha256:HmCC8oTtuG…", "sig": "<base64url signature>" }
]
}The payload decodes to an in-toto Statement with _type, subject (name + sha256 digest), predicateType, and predicate. Each predicate has a versioned JSON Schema — see Attestation reference.
Signing
Default signatures use RS256 (RSASSA-PKCS1-v1_5 + SHA-256) over the DSSE PAE-encoded payload. The signing key is yours (autogen for dev, BYOK for production). Optionally sign keyless via Sigstore when an OIDC identity is available — see Sigstore.
dpndncy-verify — no call back to dpndncY, no portal login. See Verify offline.