diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
index 90d82ad2..5d2c83a1 100644
--- a/gen/jsonschema/schemas/Bundle.schema.json
+++ b/gen/jsonschema/schemas/Bundle.schema.json
@@ -20,7 +20,7 @@
                 "dsseEnvelope": {
                     "$ref": "#/definitions/io.intoto.Envelope",
                     "additionalProperties": false,
-                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e"
+                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single    instance of the required verification materials During verification a client MUST reject an envelope if the number of signatures is not equal to one."
                 }
             },
             "additionalProperties": false,
diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
index 68ffe779..3e65bf5d 100644
--- a/gen/jsonschema/schemas/Input.schema.json
+++ b/gen/jsonschema/schemas/Input.schema.json
@@ -53,7 +53,7 @@
                 "dsseEnvelope": {
                     "$ref": "#/definitions/io.intoto.Envelope",
                     "additionalProperties": false,
-                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e"
+                    "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e DSSE envelopes in a bundle MUST have exactly one signture. This is a limitation from the DSSE spec, as it can contain multiple signatures. There are two primary reasons: 1. It simplfies the verification logic and policy 2. The bundle (currently) can only contain a single    instance of the required verification materials During verification a client MUST reject an envelope if the number of signatures is not equal to one."
                 }
             },
             "additionalProperties": false,
diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
index 6ba51cfe..b3f44d1f 100644
--- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
+++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go
@@ -367,6 +367,15 @@ type Bundle_DsseEnvelope struct {
 	// supported and expected type. This is part of the DSSE
 	// protocol which is defined here:
 	// <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
+	// DSSE envelopes in a bundle MUST have exactly one signture.
+	// This is a limitation from the DSSE spec, as it can contain
+	// multiple signatures. There are two primary reasons:
+	//  1. It simplfies the verification logic and policy
+	//  2. The bundle (currently) can only contain a single
+	//     instance of the required verification materials
+	//
+	// During verification a client MUST reject an envelope if
+	// the number of signatures is not equal to one.
 	DsseEnvelope *dsse.Envelope `protobuf:"bytes,4,opt,name=dsse_envelope,json=dsseEnvelope,proto3,oneof"`
 }
 
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
index 4acd86c8..8cae55c2 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py
@@ -109,5 +109,11 @@ class Bundle(betterproto.Message):
     A DSSE envelope can contain arbitrary payloads. Verifiers must verify that
     the payload type is a supported and expected type. This is part of the DSSE
     protocol which is defined here: <https://github.com/secure-systems-
-    lab/dsse/blob/master/protocol.md>
+    lab/dsse/blob/master/protocol.md> DSSE envelopes in a bundle MUST have
+    exactly one signture. This is a limitation from the DSSE spec, as it can
+    contain multiple signatures. There are two primary reasons: 1. It simplfies
+    the verification logic and policy 2. The bundle (currently) can only
+    contain a single    instance of the required verification materials During
+    verification a client MUST reject an envelope if the number of signatures
+    is not equal to one.
     """
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs
index b542a92d..cb9253ec 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs
@@ -190,6 +190,14 @@ pub mod bundle {
         /// supported and expected type. This is part of the DSSE
         /// protocol which is defined here:
         /// <<https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>>
+        /// DSSE envelopes in a bundle MUST have exactly one signture.
+        /// This is a limitation from the DSSE spec, as it can contain
+        /// multiple signatures. There are two primary reasons:
+        /// 1. It simplfies the verification logic and policy
+        /// 2. The bundle (currently) can only contain a single
+        ///     instance of the required verification materials
+        /// During verification a client MUST reject an envelope if
+        /// the number of signatures is not equal to one.
         #[prost(message, tag = "4")]
         DsseEnvelope(super::super::super::super::super::io::intoto::Envelope),
     }
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index c8da0f5a..71a7c58b 100644
Binary files a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ
diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto
index a7b611eb..cd9d6706 100644
--- a/protos/sigstore_bundle.proto
+++ b/protos/sigstore_bundle.proto
@@ -134,6 +134,14 @@ message Bundle {
                 // supported and expected type. This is part of the DSSE
                 // protocol which is defined here:
                 // <https://github.com/secure-systems-lab/dsse/blob/master/protocol.md>
+                // DSSE envelopes in a bundle MUST have exactly one signture.
+                // This is a limitation from the DSSE spec, as it can contain
+                // multiple signatures. There are two primary reasons:
+                // 1. It simplfies the verification logic and policy
+                // 2. The bundle (currently) can only contain a single
+                //    instance of the required verification materials
+                // During verification a client MUST reject an envelope if
+                // the number of signatures is not equal to one.
                 io.intoto.Envelope dsse_envelope = 4 [(google.api.field_behavior) = REQUIRED];
         }
         // Reserved for future additions of artifact types.