git.stella-ops.org/docs/examples/binary-diff/dsse-attestation.md

DSSE Attestation

This example shows how to emit DSSE envelopes from stella scan diff and verify them.

Generate DSSE Output

stella scan diff \
  --base docker://registry.example.com/myapp:1.0.0 \
  --target docker://registry.example.com/myapp:1.0.1 \
  --mode=elf \
  --emit-dsse=./attestations \
  --signing-key=./keys/binarydiff.pem

Output files:

attestations/
  linux-amd64-binarydiff.dsse.json
  linux-amd64-binarydiff.payload.json

Attach Attestation

stella attest attach \
  --image docker://registry.example.com/myapp:1.0.1 \
  --attestation ./attestations/linux-amd64-binarydiff.dsse.json

Verify with Cosign

cosign verify-attestation \
  --type stellaops.binarydiff.v1 \
  --key ./keys/binarydiff.pub \
  docker://registry.example.com/myapp:1.0.1

Notes

• DSSE signing requires an ECDSA private key (P-256/384/521) in PEM format.
• If the image is multi-arch, specify --platform to select the manifest.