How to Use the
DSSE Attestation Online Decoder Tool
Step-by-Step Instructions
Paste your DSSE JSON into DSSE Envelope Input.
(Optional) If you want to verify your attestation, add your public key into Signature Verification. (Note: Do not paste your private keys here)
Click on Extract and Verify.
Our tool acts as a DSSE parser and parses the envelope, decoding the payload as human-readable content. If you’ve added a valid public key and the signature verification is successful, you now have a verified evidence payload you can easily observe!
Frequently Asked Questions
What is DSSE? What is DSSE for?
DSSE, or Dead Simple Signing Envelope, is a standard JSON format for signing arbitrary data. It contains a payload, its type, and digital signatures.
DSSE is a widely adopted format for attesting software supply chain security, particularly to verify SLSA provenance and attestations, in-toto verification, and Sigstore. DSSE can also be part of your compliance efforts aligning with regulations such as SOC2, GDPR, HIPAA, PCI-DSS, FISMA, CCPA, DFARs, and more.
What is the DSSE Attestation Online Decoder?
It is a tool that helps you quickly decode attestation metadata and verify your DSSE envelopes so you can view the signed payload, understand its contents, and verify its integrity. The verified payload serves as attestation for GRC (governance, risk, compliance).
Who developed this? Why?
The DSSE Attestation Online Decoder is a free, secure tool developed for the community by JFrog.
Our goal is simple: to make working with DSSE envelopes easy for all, simplifying software supply chain security workflows for developers, auditors, and everyone else!
Why should I decode my DSSE envelopes?
By decoding your DSSE envelopes, you’ll get the underlying data (the payload), the subject of the evidence (artifact name, digest, or source code commit hash), the type of data (SLSA provenance, promotion, penetration score, scanning results, etc.), and the details about the signatures attached to it.
This will allow you to verify they are indeed referencing the right packages and contain the desired and intended contents, allowing you to push these packages forward.
Here’s an example:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"digest": {
"sha256":
"9a5c889b21ed34df5e4ae12f07587dd29cf735956bffd1c502cf9d6bf6ccdef6"
}
}
],
"predicateType": "https://jfrog.com/evidence/build-signature/v1",
"predicate": {
"actor": "snatanel",
"date": "2025-04-21T08:44:39Z"
} ,
"createdAt": "2025-04-21T08:44:40.050Z",
"createdBy": "admin"
}
Why should I decode attestation with this tool?
Without a quick solution to decode your attestations, you’ll likely spend hours in your CLI parsing your DSSE envelopes to decode your evidence payloads. We’ve built in all the manual steps into this tool, saving you time and effort.
Using the DSSE Attestation Online Decoder, decoding DSSE attestations takes a matter of seconds, not hours.
How does this work?
Simply paste the DSSE JSON into the tool. Our tool acts as a DSSE parser and parses the envelope, then decodes the payload into human-readable content. With a valid public key and a successful signature verification (optional), you’ll have a verified evidence payload you can easily observe.
How can I trust that this is secure?
This tool does not handle or require your private keys to decode your DSSE envelopes. To verify the validity of your DSSE envelopes, all you need is a public key, which does not contain sensitive or proprietary information.
Additionally, this is a client-only tool that does not send out any data. Everything happens within the browser.
I now have my decoded evidence files. What should I do with them next?
The next step is to integrate your collected evidence into your GRC efforts. Your evidence files can form a trail of signed attestations ready for any internal or external auditor, helping you prove the quality, security, and operational steps you took to build production-ready software.
JFrog’s Evidence Collection can help you get started today. To learn more about JFrog, take a free tour or trial, or get in touch!