{ "slug": "digital_signatures", "term": "Digital Signatures", "category": "cryptography", "difficulty": "advanced", "short": "Cryptographic proof that data was created by the holder of a private key and has not been altered — providing authentication, integrity, and non-repudiation.", "long": "Signing: hash the data, encrypt the hash with the private key. Verification: decrypt the signature with the public key, hash the data independently, compare. If they match, the data is authentic and unmodified. Ed25519 is the modern recommended algorithm — faster and more secure than RSA signing. Used in: TLS certificates, JWT signing, Git signed commits, code signing, and API request authentication. Non-repudiation means the signer cannot deny having signed.", "aliases": [ "code signing", "digital signature", "Ed25519", "RSA signing" ], "tags": [ "cryptography", "security", "authentication" ], "misconception": "Digital signatures encrypt data for confidentiality — they prove integrity and authenticity but do not encrypt; the signed data remains readable.", "why_it_matters": "JWTs, signed webhooks, and code signing all rely on digital signatures — understanding the mechanism explains why the private key must never be shared and why public keys can be distributed freely.", "common_mistakes": [ "Using weak hash algorithms (MD5, SHA1) for signing — collision attacks allow forged signatures.", "Signing the wrong data — sign the canonical form of the data, not a developer-friendly representation.", "Not verifying the certificate chain when verifying a signature — the public key must be trusted.", "Confusing HMAC (symmetric shared secret) with digital signatures (asymmetric) — HMAC requires both parties to have the secret." ], "when_to_use": [], "avoid_when": [], "related": [ "asymmetric_encryption", "tls_handshake", "jwt_deep_dive", "hmac" ], "prerequisites": [ "asymmetric_encryption", "hmac", "public_key_infrastructure" ], "refs": [ "https://en.wikipedia.org/wiki/Digital_signature" ], "bad_code": "// Weak signing — SHA1 hash, vulnerable to collisions:\n$signature = openssl_sign($data, $sig, $privateKey, OPENSSL_ALGO_SHA1);\n\n// JWT signature verification skipped:\n$payload = json_decode(base64_decode(explode('.', $jwt)[1]));\n// Using payload without verifying signature — unsigned claims trusted", "good_code": "// Ed25519 signature with PHP:\nopenssl_sign($data, $signature, $privateKey, OPENSSL_ALGO_SHA256);\n\n// Verify:\n$valid = openssl_verify($data, $signature, $publicKey, OPENSSL_ALGO_SHA256) === 1;\nif (!$valid) throw new SecurityException('Invalid signature');\n\n// HMAC for webhook verification (symmetric):\n$expected = hash_hmac('sha256', $payload, $secret);\nif (!hash_equals($expected, $receivedSig)) throw new SecurityException('Bad signature');", "quick_fix": "Use openssl_sign() with OPENSSL_ALGO_SHA256 to sign data and openssl_verify() to verify — digital signatures prove both authenticity and integrity with non-repudiation", "severity": "medium", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/digital_signatures", "html_url": "https://codeclaritylab.com/glossary/digital_signatures", "json_url": "https://codeclaritylab.com/glossary/digital_signatures.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Digital Signatures](https://codeclaritylab.com/glossary/digital_signatures) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/digital_signatures" } } } }