npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@signageos/digital-signature

v3.2.0

Published

NodeJS SDK to generate and validate digital signatures

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

misak113misak113kytartkytartpetrbilypetrbilysignageos.iosignageos.iovasekbochvasekboch

Keywords

signageOSDigital SignatureED25519RSA

Readme

Digital Signature SDK

Note: This repository is a fork. The upstream repository can be found at eBay/digital-signature-nodejs-sdk.

HTTP message signatures provide a mechanism for end-to-end authenticity and integrity for components of an HTTP message.

This NodeJS SDK is designed to simplify the process of generating digital signature headers and also provides a method to validate the digital signature headers.

Table of contents

Digital Signatures for Public API Calls

To ensure the authenticity and integrity of HTTP calls there can be added extra layer that sign responses and clients can verify the signature. This is especially important for system with high security requirements and potential security breaches can highly impact the system.

This SDK is generic and the signature scheme is compliant with these IETF standards.

Features

This SDK is intended to generate required message signature headers, as per the above IETF standards, and also provides a way to verfiy signature headers. There is also an example NodeJS service included with the SDK.

This SDK incorporates

  • Generation of the following HTTP message signature headers:
    • Content-Digest: This header includes a SHA-256 digest over the HTTP payload (as specified in RFC 9530 Digest Fields), if any. It is not required to be sent for APIs that do not include a request payload (e.g. GET requests). generateDigestHeader method is used to generate the digest header.
    • Signature-Input: This header indicates which headers and pseudo-headers are included, as well as the order in which they are used when calculating the signature. It is created as specified in RFC 9421 HTTP Message Signatures. generateSignatureInput method is used to generate the signature input header.
    • Signature: The value of the Signature header is created as described in Section 3.1, Creating a Signature, of RFC9421. It uses the Private Key value generated using OpenSSL (ED25519 or RSA). generateSignature method is used to generate the signature header.
    • ${config.signatureKeyHeader}: This header includes the JWE that is created using the builtin function generateSignatureKey i.e. x-sos-signature-key
  • signMessage method to sign the incoming request object
  • validateSignature method to validate the signature of the incoming request object
  • There are individual methods as well to generate and validate the headers:
    • generateDigestHeader
    • generateSignature
    • generateSignatureInput
    • generateSignatureKey
    • validateDigestHeader
    • validateSignatureHeader

Usage

Prerequisites

NodeJS: v16 or higher
NPM: v7 or higher

Install

Using npm:

npm install @signageos/digital-signature

Using yarn:

yarn add @signageos/digital-signature

Configure

In order to run the example application (signing-only) the example-config.json needs to be updated.

{
  "digestAlgorithm": "<Algorithm used for generating content digest>",
  "jwe": "<JWE generated using OpenSSL>",
  "privateKey": "<Private key generated using OpenSSL>",
  "signatureComponents": "<Signature components for generating the base string>",
  "signatureParams": "<List of signature params>"
}

For both signing and signature validation, use example-config-full.json.

{
  "digestAlgorithm": "<Algorithm used for generating content digest>",
  "jweHeaderParams": "<The JWE header params>",
  "jwtExpiration": "<The JWT expiration in years>",
  "jwtPayload": "<The JWT  payload params>",
  "masterKey": "<The symmetric key used for JWE encryption and decryption>",
  "privateKey": "<Private key generated using OpenSSL>",
  "publicKey": "<Public key generated using OpenSSL>",
  "signatureComponents": "<Signature components for generating the base string>",
  "signatureParams": "<List of signature params>"
}

Publish NPM package

# Update package.json version property to describe your changes
npm publish --access=public

Parameters

| Name | Type | Description | | :------ | :------ | :------ | | digestAlgorithm | string | The algorithm for generating the Content-Digest header. Supported values are sha256, sha512 and md5 | | jwe | string | The JWE generated using the builtin function generateSignatureKey i.e. x-sos-signature-key. Other jwe* are not needed when this is provided. | | jweHeaderParams | JSON object | The JWE header params. This is required only if a JWE is not provided in the config. | | jwtExpiration | number | The JWT expiration in years. This is required only if a JWE is not provided in the config. | | jwtPayload | JSON object | The JWT payload params. This is required only if a JWE is not provided in the config. | | masterKey | string | The symmetric key. This is required only if a JWE is not provided in the config. | | privateKey | string | The privateKey generated using OpenSSL (ED25519 or RSA) | | publicKey | string | The publicKey generated using OpenSSL (ED25519 or RSA) | | signatureComponents | JSON object | The signature components that are a part of the signatureParams. These are used to generate the base string which is used to generate the signature header| | signatureParams | Array | The list of headers that indicates which headers and pseudo-headers are included, as well as the order in which they are used when calculating the signature|

Note: You can refer to example.js for an example of how to setup an express server and use the SDK.

Running the example

Using npm:

npm start

Using yarn:

yarn start

JWE generation

openssl genpkey -algorithm ED25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
openssl rand -base64 32 > master.key
const publicKeyPem = await fs.readFile('public.pem', { encoding: 'utf-8' });
const publicKey = publicKeyPem.replace(/-----BEGIN PUBLIC KEY-----/g, '').replace(/-----END PUBLIC KEY-----/g, '').trim();
const signatureConfig = {
	jweHeaderParams: {
		alg: 'A256GCMKW',
		enc: 'A256GCM',
		zip: 'DEF',
	},
	jwtExpiration: 100, // in years
	jwtPayload: {
		pkey: publicKey,
	},
	masterKey: 'master.key',
	publicKey: 'public.pem',
};
const jwe = await generateSignatureKey(signatureConfig);
console.log('JWE:', jwe);

Note for Production deployment

For production, please host with HTTPS enabled.

Logging

Uses standard console logging.

License

See the LICENSE file for license rights.