Digital Signature Workflow: Mermaid Sequence Diagram

Digital Signature Workflow sequence diagram

About Source

A digital signature is a cryptographic mechanism that proves a message was created by a specific private key holder (authentication) and has not been modified since it was signed (integrity). Unlike encryption, signing does not conceal the message — it creates verifiable proof of origin.

The signing process starts with hashing. The signer runs the message through a cryptographic hash function (SHA-256 or SHA-3) to produce a fixed-size digest. Hashing is deterministic — the same input always produces the same output — and collision-resistant, meaning it is computationally infeasible to find two different inputs that produce the same hash.

The signer then encrypts this hash with their private key using an asymmetric algorithm like RSA-PKCS1v15, RSA-PSS, or ECDSA. This encrypted hash is the digital signature. It is typically appended to the message or transmitted alongside it. The message itself is sent in the clear.

On the verification side, the verifier obtains the signer's public key — from a certificate, a public key server, or out-of-band trust. They run the same hash function on the received message to produce their own digest. They then decrypt the signature using the signer's public key to recover the original digest. If the two digests match, the signature is valid: the message was signed by the private key holder and has not been tampered with since.

This workflow is foundational in TLS certificates (CAs sign certificates with their private keys), JWT tokens (issuers sign the header and payload), code signing (publishers sign software packages), and git commit signing. See HMAC Signing Process for a symmetric alternative that is faster but requires a shared secret, and Certificate Authority Chain for how CAs use signatures to establish a chain of trust.

Frequently asked questions

A digital signature is a cryptographic value produced by running a message through a hash function and encrypting the resulting digest with the signer's private key. It proves that the message was created by the private key holder and that the content has not been altered since signing.

The verifier obtains the signer's public key, re-hashes the received message with the same algorithm, and decrypts the signature using the public key to recover the original hash. If both hashes match, the signature is valid. If the message was tampered with, the hashes will differ and verification fails.

A digital signature uses asymmetric keys: the signer's private key signs, and anyone with the public key can verify. This provides non-repudiation. HMAC uses a single shared secret key for both signing and verification, making it faster but unable to prove which party created the signature.

RSA-PSS and RSA-PKCS1v15 are widely used for legacy compatibility. ECDSA (with P-256 or secp256k1) offers equivalent security with much smaller key sizes and faster operations. Ed25519 (EdDSA) is the modern choice for new systems due to its speed, safety, and deterministic output.

mermaid

sequenceDiagram
    participant Signer
    participant Verifier
    participant PKI as Public Key Infrastructure

    note">Note over Signer: Signing Process
    Signer->&gt;Signer: Hash message with SHA-256\nproducing message digest
    Signer->&gt;Signer: Encrypt digest with private key\n(RSA-PSS or ECDSA)
    Signer->&gt;Verifier: Send message + digital signature

    note">Note over Verifier: Verification Process
    Verifier->&gt;PKI: Request signer's public key\n(or retrieve from certificate)
    PKI-->&gt;Verifier: Return authenticated public key
    Verifier->&gt;Verifier: Hash received message\nwith SHA-256
    Verifier->&gt;Verifier: Decrypt signature\nusing signer's public key
    Verifier->&gt;Verifier: Compare computed digest\nvs decrypted digest
    alt Digests match
        note">Note over Verifier: Signature VALID\nMessage authentic and unmodified
    else Digests differ
        note">Note over Verifier: Signature INVALID\nReject message
    end