What is a Digital Signature

A digital signature is a cryptographic mechanism that proves two things: who created or approved a message, and that the message has not been changed since it was signed. It is the digital equivalent of a handwritten signature combined with a tamper-evident seal.

How it works

Signing uses the sender's private key. Verification uses the sender's public key. The process has three steps:

1. Hash — compute a hash of the message (e.g., SHA-256). This creates a fixed-size fingerprint of the content.
2. Sign — encrypt the hash with the sender's private key. The result is the signature.
3. Verify — the recipient decrypts the signature with the sender's public key, computes their own hash of the message, and compares. If they match, the message is authentic and unaltered.

If anyone changes even one bit of the message, the hash changes, and verification fails. If anyone tries to forge the signature, they cannot because they do not have the private key.

Common signature algorithms include:

• RSA-PSS — RSA-based signatures with probabilistic padding
• ECDSA — signatures using elliptic curves, used in TLS certificates
• Ed25519 — fast, deterministic signatures on Curve25519, used in SSH and modern systems

Why it matters

Digital signatures are the trust mechanism of the internet. TLS certificates are signed by Certificate Authorities. Git commits and tags can be signed to prove authorship. Software packages are signed to prevent supply-chain attacks. JWTs use signatures to ensure tokens have not been tampered with. Every time you verify that something is authentic and unmodified, digital signatures are doing the work.

See How Digital Signatures Work for the full walkthrough.