# DSSE Attestation

This example shows how to emit DSSE envelopes from `stella scan diff` and verify them.

## Generate DSSE Output

```bash
stella scan diff \
  --base docker://registry.example.com/myapp:1.0.0 \
  --target docker://registry.example.com/myapp:1.0.1 \
  --mode=elf \
  --emit-dsse=./attestations \
  --signing-key=./keys/binarydiff.pem
```

Output files:

```
attestations/
  linux-amd64-binarydiff.dsse.json
  linux-amd64-binarydiff.payload.json
```

## Attach Attestation

```bash
stella attest attach \
  --image docker://registry.example.com/myapp:1.0.1 \
  --attestation ./attestations/linux-amd64-binarydiff.dsse.json
```

## Verify with Cosign

```bash
cosign verify-attestation \
  --type stellaops.binarydiff.v1 \
  --key ./keys/binarydiff.pub \
  docker://registry.example.com/myapp:1.0.1
```

## Notes

- DSSE signing requires an ECDSA private key (P-256/384/521) in PEM format.
- If the image is multi-arch, specify `--platform` to select the manifest.