# Per-Layer DSSE Attestations

## Module
Attestor

## Status
VERIFIED

## Description
Layer-specific DSSE attestations with batch signing for efficiency, generating individual attestations per container image layer linked to layer-specific SBOM subjects.

## Implementation Details
- **DSSE Envelope Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification`) -- signs per-layer attestations into DSSE envelopes. Supports batch signing for multi-layer images.
- **DSSE Envelope**: `Signing/DsseEnvelope.cs` -- envelope model with payload, payloadType, and signatures array.
- **DSSE Signature**: `Signing/DsseSignature.cs` -- individual signature within an envelope.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements with layer-specific subjects (layer digest as subject).
- **Proof Subject**: `Builders/ProofSubject.cs` -- subject model with name (layer digest) and digest map.
- **Attestation Bundler**: `__Libraries/StellaOps.Attestor.Bundling/AttestationBundler.cs` -- bundles per-layer attestations into a single container-level bundle.
- **OCI Attachment**: `__Libraries/StellaOps.Attestor.Oci/Services/OrasAttestationAttacher.cs` -- attaches per-layer attestations to container image digests via OCI Referrers API.
- **Signing Key Profile**: `Signing/SigningKeyProfile.cs` -- key profile used for signing (supports per-layer key selection).
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/DsseSigningTests.cs`

## E2E Test Plan
- [ ] Create per-layer in-toto statements for a 3-layer container image with layer digests as subjects and sign each via `ProofChainSigner`
- [ ] Verify each per-layer DSSE envelope has the correct layer digest in the subject
- [ ] Batch-sign all 3 layer attestations and verify all envelopes are produced efficiently
- [ ] Bundle per-layer attestations into a container-level bundle via `AttestationBundler` and verify the bundle references all layers
- [ ] Attach per-layer attestations to the container image via `OrasAttestationAttacher` and verify they are discoverable as referrers
- [ ] Verify each per-layer attestation signature independently via `ProofChainSigner.Verification`
- [ ] Create a per-layer attestation linking to a layer-specific SBOM and verify the SBOM subject reference

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |