Use the KMS instance SDK Python client to sign data and verify digital signatures with an asymmetric key. This page provides a complete working example followed by a step-by-step breakdown.
All examples use sign_with_options and verify_with_options to submit requests through a configured client.
Prerequisites
Before you begin, ensure that you have:
Initialized the KMS instance SDK client. See Initialize the client
An asymmetric key ID (
key_id) and a supported signing algorithm
Complete example
Step-by-step walkthrough
Initialize the client
See Initialize the client for full setup instructions. Set config.protocol to "https" — the KMS instance service only accepts HTTPS connections.
# -*- coding: utf-8 -*-
import os
from openapi.models import Config
from sdk.client import Client
config = Config()
config.protocol = "https"
config.client_key_file = "<CLIENT_KEY_FILE>"
config.password = os.getenv('CLIENT_KEY_PASSWORD')
# Format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
config.endpoint = "<ENDPOINT>"
client = Client(config)Sign data with an asymmetric key
Call the Sign API to generate a digital signature.
Set message_type to "RAW" to sign the raw message, or "DIGEST" to sign a pre-computed message digest.
def sign(key_id, message, message_type, algorithm):
request = SignRequest()
request.key_id = key_id # ID of the asymmetric key to use
request.message = message # Data to sign (bytes)
request.message_type = message_type # "RAW" or "DIGEST"
request.algorithm = algorithm # Signing algorithm the key supports
runtime_options = RuntimeOptions()
# runtime_options.ignore_ssl = True # Uncomment to skip certificate verification
runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
resp = client.sign_with_options(request, runtime_options)
print(resp)
return SignContext(resp.key_id, resp.message_type, resp.signature, resp.algorithm)The Sign response includes:
| Field | Description |
|---|---|
resp.key_id | ID of the key that generated the signature |
resp.signature | The digital signature (bytes) |
resp.algorithm | The signing algorithm used |
resp.message_type | The message type (RAW or DIGEST) |
SignContext stores these fields so you can pass them directly to verify().
Verify a digital signature
Call the Verify API to validate a signature against the original message.
def verify(context, message):
request = VerifyRequest()
request.key_id = context.key_id # Must match the key used to sign
request.message_type = context.message_type
request.signature = context.signature # Signature from the Sign response
request.algorithm = context.algorithm # Must match the algorithm used to sign
request.message = message # Original data (same as what was signed)
runtime_options = RuntimeOptions()
# runtime_options.ignore_ssl = True # Uncomment to skip certificate verification
runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"
resp = client.verify_with_options(request, runtime_options)
print(resp)