Signature (cryptographic)

A cryptographic signature is a short string of bytes that proves a specific message was produced by someone in possession of a private key, without revealing the private key. Verifying the signature requires only the corresponding public key (for asymmetric algorithms) or the shared secret (for symmetric).

The basic asymmetric flow (using RSA, ECDSA, or Ed25519):

1. The signer hashes the message (typically SHA-256).
2. The signer encrypts the hash with their private key. Output: the signature.
3. The verifier hashes the received message with the same hash function.
4. The verifier decrypts the signature with the public key. Output: a hash.
5. If the two hashes match, the signature is valid and the message wasn’t tampered with.

Symmetric signatures (HMAC) use a shared secret instead of a key pair. The signer and verifier both have the secret; both compute HMAC(secret, message) and compare. Faster than asymmetric; only useful when the parties already trust each other (you don’t want HMAC for third-party verification because anyone with the secret can forge signatures).

Where signatures appear in the working stack: JWT tokens (the third segment), TLS certificate chains, code signing (Apple notarisation, Windows Authenticode), Git commits and tags (GPG-signed), Bitcoin transactions, software package distribution (Linux package managers, Homebrew formulas). Each context bundles the signature with a specific algorithm and key-management story; the underlying primitive is the same.