Signing¶

Cryptographic signatures (also known as digital signatures) use public-key cryptography to validate the authenticity and integrity of digital artifacts, messages, or software. A valid signature verifies the identity of the author/owner and that the digital data hasn't been altered.

The signing process uses a hash algorithm to create a one-way hash of the digital data. The signer's private key is used to encrypt the hash. The signature is made up of the encrypted hash and additional information like the hashing algorithm. The digital data and the signature are stored for retrieval by the receiving party, or are transmitted to the receiving party. If the digital content is sensitive, it may be encrypted (typically with a symmetric key) as part of storage/transmission.

The receiver can verify that the digital content hasn't been altered by using the signer's public key to decrypt the signature and retrieve the hash. This hash is compared with a locally created hash using the hash algorithm documented in the signature. If the hashes match, then the digital content hasn't been altered in transit and the integrity of the digital content is confirmed. By decrypting the signature with the signer's public key, the receiver has verified that the signature was produced by the signer.

Some examples of what cryptographic signatures can be used to sign are - code releases, container images and security artifacts, git commits, and authentication/authorization exchanges like JWT and mTLS.

Characteristics¶

Public-Key Cryptography¶

Public-key cryptography or asymmetric cryptography makes use of a pair of related keys. The private key must be kept secret, while the public key can be openly shared and distributed without compromising security. Asymmetric indicates that one key encrypts and the other key in the key pair decrypts. The reverse is also true.

To create a digital signature, the private key is used to encrypt the hash of the data. The hash can only be decrypted by the public key in the key pair. This ensures that only the trusted party can create the signature, but anyone can verify the signature.

Signature¶

A digital signature is used to verify the authenticity and integrity of some data. It's stored or transmitted with the data.

Certificate Trust Chain¶

Public-key infrastructure is used to manage certificates which bind the public key to validity and identity information. A Certificate Authority (CA) creates the certificates and there may be a chain of intermediate certs to enable management at scale. The validity information like validity periods or usage types, and identity information can be used to provide additional validation of the entity that produced the signature.

Examples¶

Artifact Signing¶

• The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution provides an implementation that shows how to sign and verify signatures for container images and associated security artifacts.

Learn More¶

• Wikipedia - Digital Signature
• Wikipedia - Secure Hash Algorithms
• Wikipedia - Public-Key Cryptography
• Wikipedia - Public-Key Infrastructure
• MS Learn - Digital Signatures
• MS Learn - Cryptographic Signatures