# Use `Sign` with an AWS SDK or CLI The following code examples show how to use `Sign`. Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example: + [Learn the basics](example_kms_Scenario_Basics_section.md) ------ #### [ CLI ] **AWS CLI** **Example 1: To generate a digital signature for a message** The following `sign` example generates a cryptographic signature for a short message. The output of the command includes a base-64 encoded `Signature` field that you can verify by using the `verify` command. You must specify a message to sign and a signing algorithm that your asymmetric KMS key supports. To get the signing algorithms for your KMS key, use the `describe-key` command. In AWS CLI v2, the value of the `message` parameter must be Base64-encoded. Or, you can save the message in a file and use the `fileb://` prefix, which tells the AWS CLI to read binary data from the file. Before running this command, replace the example key ID with a valid key ID from your AWS account. The key ID must represent an asymmetric KMS key with a key usage of SIGN\$1VERIFY. ``` msg=(echo 'Hello World' | base64) aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://UnsignedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 ``` Output: ``` { "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Signature": "ABCDEFhpyVYyTxbafE74ccSvEJLJr3zuoV1Hfymz4qv+/fxmxNLA7SE1SiF8lHw80fKZZ3bJ...", "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" } ``` For more information about using asymmetric KMS keys in AWS KMS, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. **Example 2: To save a digital signature in a file (Linux and macOs)** The following `sign` example generates a cryptographic signature for a short message stored in a local file. The command also gets the `Signature` property from the response, Base64-decodes it and saves it in the ExampleSignature file. You can use the signature file in a `verify` command that verifies the signature. The `sign` command requires a Base64-encoded message and a signing algorithm that your asymmetric KMS key supports. To get the signing algorithms that your KMS key supports, use the `describe-key` command. Before running this command, replace the example key ID with a valid key ID from your AWS account. The key ID must represent an asymmetric KMS key with a key usage of SIGN\$1VERIFY. ``` echo 'hello world' | base64 > EncodedMessage aws kms sign \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --message fileb://EncodedMessage \ --message-type RAW \ --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 \ --output text \ --query Signature | base64 --decode > ExampleSignature ``` This command produces no output. This example extracts the `Signature` property of the output and saves it in a file. For more information about using asymmetric KMS keys in AWS KMS, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*. + For API details, see [Sign](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/sign.html) in *AWS CLI Command Reference*. ------ #### [ Java ] **SDK for Java 2.x** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/kms#code-examples). ``` /** * Asynchronously signs and verifies data using AWS KMS. * *

The method performs the following steps: *

    *
  1. Creates an AWS KMS key with the specified key spec, key usage, and origin.
    2. *
  2. Signs the provided message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    3. *
  3. Verifies the signature of the message using the created KMS key and the RSASSA-PSS-SHA-256 algorithm.
    4. *
* * @return a {@link CompletableFuture} that completes with the result of the signature verification, * {@code true} if the signature is valid, {@code false} otherwise. * @throws KmsException if any error occurs during the KMS operations. * @throws RuntimeException if an unexpected error occurs. */ public CompletableFuture signVerifyDataAsync() { String signMessage = "Here is the message that will be digitally signed"; // Create an AWS KMS key used to digitally sign data. CreateKeyRequest createKeyRequest = CreateKeyRequest.builder() .keySpec(KeySpec.RSA_2048) .keyUsage(KeyUsageType.SIGN_VERIFY) .origin(OriginType.AWS_KMS) .build(); return getAsyncClient().createKey(createKeyRequest) .thenCompose(createKeyResponse -> { String keyId = createKeyResponse.keyMetadata().keyId(); SdkBytes messageBytes = SdkBytes.fromString(signMessage, Charset.defaultCharset()); SignRequest signRequest = SignRequest.builder() .keyId(keyId) .message(messageBytes) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().sign(signRequest) .thenCompose(signResponse -> { byte[] signedBytes = signResponse.signature().asByteArray(); VerifyRequest verifyRequest = VerifyRequest.builder() .keyId(keyId) .message(SdkBytes.fromByteArray(signMessage.getBytes(Charset.defaultCharset()))) .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signedBytes))) .signingAlgorithm(SigningAlgorithmSpec.RSASSA_PSS_SHA_256) .build(); return getAsyncClient().verify(verifyRequest) .thenApply(verifyResponse -> { return (boolean) verifyResponse.signatureValid(); }); }); }) .exceptionally(throwable -> { throw new RuntimeException("Failed to sign or verify data", throwable); }); } ``` + For API details, see [Sign](https://docs.aws.amazon.com/goto/SdkForJavaV2/kms-2014-11-01/Sign) in *AWS SDK for Java 2.x API Reference*. ------ #### [ PHP ] **SDK for PHP** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/kms#code-examples). ``` /*** * @param string $keyId * @param string $message * @param string $algorithm * @return Result */ public function sign(string $keyId, string $message, string $algorithm) { try { return $this->client->sign([ 'KeyId' => $keyId, 'Message' => $message, 'SigningAlgorithm' => $algorithm, ]); }catch(KmsException $caught){ echo "There was a problem signing the data: {$caught->getAwsErrorMessage()}\n"; throw $caught; } } ``` + For API details, see [Sign](https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Sign) in *AWS SDK for PHP API Reference*. ------ #### [ Python ] **SDK for Python (Boto3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/kms#code-examples). ``` class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def sign(self, key_id: str, message: str) -> str: """ Signs a message with a key. :param key_id: The ARN or ID of the key to use for signing. :param message: The message to sign. :return: The signature of the message. """ try: return self.kms_client.sign( KeyId=key_id, Message=message.encode(), SigningAlgorithm="RSASSA_PSS_SHA_256", )["Signature"] except ClientError as err: logger.error( "Couldn't sign your message. Here's why: %s", err.response["Error"]["Message"], ) raise ``` + For API details, see [Sign](https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Sign) in *AWS SDK for Python (Boto3) API Reference*. ------ #### [ SAP ABAP ] **SDK for SAP ABAP** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/kms#code-examples). ``` TRY. " iv_key_id = 'arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab' (asymmetric key) " iv_message contains the message to sign " iv_signing_algorithm = 'RSASSA_PSS_SHA_256' oo_result = lo_kms->sign( iv_keyid = iv_key_id iv_message = iv_message iv_signingalgorithm = iv_signing_algorithm ). MESSAGE 'Message signed successfully.' TYPE 'I'. CATCH /aws1/cx_kmsdisabledexception. MESSAGE 'The key is disabled.' TYPE 'E'. CATCH /aws1/cx_kmsnotfoundexception. MESSAGE 'Key not found.' TYPE 'E'. CATCH /aws1/cx_kmsinvalidkeyusageex. MESSAGE 'Key cannot be used for signing.' TYPE 'E'. CATCH /aws1/cx_kmskmsinternalex. MESSAGE 'An internal error occurred.' TYPE 'E'. ENDTRY. ``` + For API details, see [Sign](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. ------ For a complete list of AWS SDK developer guides and code examples, see [Using this service with an AWS SDK](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions.