Use Verify
with an AWS SDK or CLI
The following code examples show how to use Verify
.
- CLI
-
- AWS CLI
-
To verify a digital signature
The following
verify
example verifies a cryptographic signature for a short, Base64-encoded message. The key ID, message, message type, and signing algorithm must be same ones that were used to sign the message. The signature that you specify cannot be base64-encoded. For help decoding the signature that thesign
command returns, see thesign
command examples.The output of the command includes a Boolean
SignatureValid
field that indicates that the signature was verified. If the signature validation fails, theverify
command fails, too.Before running this command, replace the example key ID with a valid key ID from your AWS account.
aws kms verify \ --key-id
1234abcd-12ab-34cd-56ef-1234567890ab
\ --messagefileb://EncodedMessage
\ --message-typeRAW
\ --signing-algorithmRSASSA_PKCS1_V1_5_SHA_256
\ --signaturefileb://ExampleSignature
Output:
{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "SignatureValid": true, "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" }
For more information about using asymmetric KMS keys in AWS KMS, see Using asymmetric keys in the AWS Key Management Service Developer Guide.
-
For API details, see Verify
in AWS CLI Command Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. class KeyEncrypt: def __init__(self, kms_client): self.kms_client = kms_client @classmethod def from_client(cls) -> "KeyEncrypt": """ Creates a KeyEncrypt instance with a default KMS client. :return: An instance of KeyEncrypt initialized with the default KMS client. """ kms_client = boto3.client("kms") return cls(kms_client) def verify(self, key_id: str, message: str, signature: str) -> bool: """ Verifies a signature against a message. :param key_id: The ARN or ID of the key used to sign the message. :param message: The message to verify. :param signature: The signature to verify. :return: True when the signature matches the message, otherwise False. """ try: response = self.kms_client.verify( KeyId=key_id, Message=message.encode(), Signature=signature, SigningAlgorithm="RSASSA_PSS_SHA_256", ) valid = response["SignatureValid"] print(f"The signature is {'valid' if valid else 'invalid'}.") return valid except ClientError as err: if err.response["Error"]["Code"] == "SignatureDoesNotMatchException": print("The signature is not valid.") else: logger.error( "Couldn't verify your signature. Here's why: %s", err.response["Error"]["Message"], ) raise
-
For API details, see Verify in AWS SDK for Python (Boto3) API Reference.
-
For a complete list of AWS SDK developer guides and code examples, see Using this service with an AWS SDK. This topic also includes information about getting started and details about previous SDK versions.