From 4e7198259a833c434f8bf11328e0fadfba99f280 Mon Sep 17 00:00:00 2001
From: Appu <appu@google.com>
Date: Tue, 14 Jan 2025 22:28:21 -0500
Subject: [PATCH] Update bundle.md

Update payload information in the dsse type

Signed-off-by: Appu <appu@google.com>
---
 content/en/about/bundle.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/content/en/about/bundle.md b/content/en/about/bundle.md
index 5019efb2..b3f4a317 100644
--- a/content/en/about/bundle.md
+++ b/content/en/about/bundle.md
@@ -6,7 +6,7 @@ title: Sigstore Bundle Format
 weight: 4
 ---
 
-Last updated October 31, 2024
+Last updated January 14, 2025
 
 Version 0.3.2
 
@@ -136,15 +136,13 @@ artifact at verification time.
 
 #### DSSE
 
-A DSSE envelope can contain arbitrary payloads. Currently Sigstore clients only process the
-payload type `"application/vnd.in-toto+json"`. Verifiers must verify that the payload type is a
-supported and expected type. DSSE envelopes contained in a Sigstore Bundle must only contain a
-single signature (the DSSE spec allows multiple).
+The DSSE envelope in a Sigstore Bundle must conform to the [in-toto Envelope layer specification](https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md) where 
+`payloadType` is `"application/vnd.in-toto+json"` and the payload is an [in-toto statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md). DSSE envelopes in a Sigstore Bundle must also contain only a single signature (the DSSE spec allows multiple).
 
 ```json
 "dsseEnvelope": {
   {
-    "payload": "<Base64(JSON_PAYLOAD)>",
+    "payload": "<Base64(JSON_IN_TOTO_STATEMENT)>",
     "payloadType": "application/vnd.in-toto+json",
     "signatures": [{
       "keyid": "<KEY_ID>",
@@ -154,6 +152,10 @@ single signature (the DSSE spec allows multiple).
 }
 ```
 
+where `payload` should would decode to
+```json
+```
+
 ### Examples
 
 Here are some example bundles from the Sigstore public infrastructure.