Sign
Creates RSA digital signatures using a private key and the PKCS#1 v1.5 signature scheme. Digital signatures provide authentication, integrity verification, and non-repudiation for data and documents.
Common Properties
- Name - The custom name of the node.
- Color - The custom color of the node.
- Delay Before (sec) - Waits in seconds before executing the node.
- Delay After (sec) - Waits in seconds after executing node.
- Continue On Error - Automation will continue regardless of any error. The default value is false.
info
If the ContinueOnError property is true, no error is caught when the project is executed, even if a Catch node is used.
Inputs
- Hash - The data or hash to sign. Format depends on Input Format option.
Options
- Private Key - The RSA private key credential in PEM format. Retrieved from Robomotion Vault.
- Hash Function - The cryptographic hash algorithm used before signing:
- md5 - MD5 (not recommended for security)
- sha1 - SHA-1 (legacy, use SHA-256+)
- sha256 - SHA-256 (recommended)
- sha512 - SHA-512 (high security)
- Input Format - How to interpret the input data:
- Hex - Input is hexadecimal string, will be decoded and hashed
- Raw String - Input is UTF-8 text, will be hashed
- Pre-hashed - Input is already a computed hash (hexadecimal), won't be hashed again
Output
- signature - The RSA signature in hexadecimal format.
How It Works
The Sign node creates RSA digital signatures using asymmetric cryptography:
- Receives the input data and retrieves the private key from vault
- Decodes the private key from PEM format
- Parses the PKCS#1 private key
- Processes the input based on format:
- Hex: Decodes hex string and hashes it
- Raw String: Treats as UTF-8 text and hashes it
- Pre-hashed: Decodes hex string, skips hashing
- Applies the selected hash function (if needed)
- Signs the hash using RSA PKCS#1 v1.5 signature algorithm
- Encodes the signature as hexadecimal string
- Returns the signature
The signature can be verified by anyone with the corresponding public key.
Example Usage
Sign Document Hash
// 1. Calculate hash of document
const document = "Important legal contract...";
// Use Text Hash node with SHA-256
const documentHash = "{{msg.hash}}";
// 2. Sign the hash with private key
// Use Sign node
// Hash: documentHash (from previous step)
// Hash Function: sha256
// Input Format: Pre-hashed
// Private Key: legal_signing_key (from vault)
const signature = "{{msg.signature}}";
// 3. Store signature with document
// Recipients can verify with public key
Sign API Request
// Create signed API request for authentication
const apiRequest = JSON.stringify({
action: "withdraw",
amount: 1000,
account: "12345",
timestamp: Date.now()
});
// Use Sign node
// Hash: apiRequest
// Hash Function: sha256
// Input Format: Raw String
// Private Key: api_signing_key
const requestSignature = "{{msg.signature}}";
// Send request with signature
// POST /api/withdraw
// Headers: {"X-Signature": requestSignature}
// Body: apiRequest
Code Signing
// Sign software package for distribution
// 1. Calculate hash of executable file
const executableFile = "/dist/myapp.exe";
// Use File Hash node with SHA-256
const fileHash = "{{msg.hash}}";
// 2. Sign the file hash
// Use Sign node
// Hash: fileHash
// Hash Function: sha256
// Input Format: Pre-hashed
// Private Key: code_signing_key
const codeSignature = "{{msg.signature}}";
// 3. Distribute file with signature
// Users verify with your public key
Sign Email Message
// Create email signature (simplified DKIM-style)
const emailHeaders = "From: sender@example.com\n" +
"To: recipient@example.com\n" +
"Subject: Important Message\n";
const emailBody = "This is the email content...";
const emailContent = emailHeaders + "\n" + emailBody;
// Use Sign node
// Hash: emailContent
// Hash Function: sha256
// Input Format: Raw String
const emailSignature = "{{msg.signature}}";
// Add signature to email headers
// X-Signature: emailSignature
Multi-Party Signing
// Multiple parties sign the same document
const contract = "Multi-party agreement...";
// Party A signs
// Use Sign node with party_a_private_key
const signatureA = "{{msg.signature}}";
// Party B signs
// Use Sign node with party_b_private_key
const signatureB = "{{msg.signature}}";
// Store document with both signatures
// {
// contract: contract,
// signatures: {
// partyA: signatureA,
// partyB: signatureB
// }
// }
Timestamped Signature
// Create signature with timestamp for non-repudiation
const data = "Transaction details...";
const timestamp = Date.now();
const signedData = data + "|timestamp:" + timestamp;
// Use Sign node
const signature = "{{msg.signature}}";
// Store all three pieces
// {
// data: data,
// timestamp: timestamp,
// signature: signature
// }
Requirements
- Valid RSA private key in PEM format (PKCS#1)
- Private key stored securely in Robomotion Vault
- Recommended minimum key size: 2048 bits (4096 bits for high security)
- Input data in appropriate format
Error Handling
The node will return errors in the following cases:
- Missing private key - Private key credential not found in vault
- Invalid PEM format - Private key is not valid PEM
- Invalid key format - Not a valid PKCS#1 private key
- Invalid input format - Hex input contains non-hexadecimal characters
- Signing failure - RSA signing operation failed
- Key size mismatch - Data size exceeds RSA key limitations
Security Best Practices
- Protect private keys - Store private keys only in Robomotion Vault
- Use strong keys - Minimum 2048-bit RSA keys, prefer 4096-bit
- Use SHA-256 or higher - Avoid MD5 and SHA-1 for security
- Never share private keys - Only distribute public keys
- Rotate keys - Change signing keys periodically
- Secure key generation - Generate keys using cryptographically secure methods
- Audit signatures - Log when signatures are created
- Limit key access - Only authorized flows should access private keys
- Use pre-hashed for large data - Hash large data first, then sign the hash
- Include timestamps - Prevent signature replay attacks
Input Format Guide
Hex (Default)
Use when you have hexadecimal-encoded data:
// Hex input (will be decoded and hashed)
const hexData = "48656c6c6f"; // "Hello" in hex
// Use Sign node with Input Format: Hex
Raw String
Use for plain text, JSON, or other UTF-8 strings:
// Raw string input (will be hashed)
const textData = "Hello World";
// Use Sign node with Input Format: Raw String
Pre-hashed
Use when you've already calculated the hash:
// Already calculated hash
// Use Text Hash or File Hash node first
const existingHash = "a1b2c3d4..."; // Pre-computed hash
// Use Sign node with Input Format: Pre-hashed
RSA Key Generation
To generate RSA key pairs:
# Generate 4096-bit private key
openssl genrsa -out private_key.pem 4096
# Extract public key
openssl rsa -in private_key.pem -pubout -out public_key.pem
# Store private_key.pem in Robomotion Vault
# Distribute public_key.pem to verifiers
Signature Verification
Recipients verify signatures using the Verify node with your public key:
// Signer side (this node)
// Use Sign node
const signature = "{{msg.signature}}";
// Verifier side
// Use Verify node with:
// - Original hash/data
// - Signature
// - Public key
// Verify node returns success if signature is valid
Common Use Cases
- Document Signing - Sign contracts, agreements, and legal documents
- Code Signing - Sign software packages and executables
- API Authentication - Sign API requests to prove identity
- Email Signing - Create email signatures (DKIM-like)
- Transaction Authorization - Sign financial transactions
- Audit Trails - Create non-repudiable audit records
- Certificate Signing - Sign digital certificates
- Blockchain - Sign blockchain transactions
Algorithm Selection
SHA-256 (Recommended)
- Standard for most applications
- Good balance of security and performance
- Widely supported
- Output: 64 hex characters before signing
SHA-512 (High Security)
- Higher security margin
- Better for long-term signatures
- Slower than SHA-256
- Output: 128 hex characters before signing
SHA-1 (Legacy Only)
- Deprecated for security
- Only for legacy system compatibility
- Not recommended for new implementations
MD5 (Not Recommended)
- Cryptographically broken
- Should not be used for security
Performance Considerations
- RSA signing is CPU-intensive
- Signing time increases with key size:
- 2048-bit: ~1-2ms per signature
- 4096-bit: ~5-10ms per signature
- Pre-hash large data to improve performance
- Consider parallel signing for batch operations
- Signing is much slower than HMAC (symmetric)
Tips for Effective Use
- Always use same hash function for signing and verification
- Pre-hash large files or documents before signing
- Store signatures with original data for later verification
- Include metadata (timestamp, signer ID) with signatures
- Test signature verification before deployment
- Document which public key corresponds to each private key
- Implement signature expiration for time-sensitive operations
- Use appropriate key sizes for your security requirements
Troubleshooting
Signing Fails
- Check private key - Verify key is valid PKCS#1 PEM format
- Verify key in vault - Ensure private key credential exists
- Check input format - Match input format with data type
- Key size - Ensure key is large enough (minimum 2048-bit)
Verification Fails
- Hash function mismatch - Use same hash function for sign and verify
- Public/private key mismatch - Ensure public key corresponds to private key
- Data modified - Original data must be identical
- Input format difference - Use consistent input format
Performance Issues
- Large data - Hash data first, then sign the hash
- Small key size - Larger keys are slower but more secure
- Batch operations - Process signatures in parallel when possible
Related Nodes
- Verify - Verify signatures created by this node
- HMAC Signature - Alternative symmetric signing (faster)
- Text Hash - Calculate hashes before signing
- File Hash - Hash files before signing
- Generate Key - Generate symmetric keys (not RSA keys)