Verify

Verifies RSA digital signatures using a public key and the PKCS#1 v1.5 signature scheme. This node authenticates that data was signed by the holder of the corresponding private key and hasn't been modified.

Common Properties

• Name - The custom name of the node.
• Color - The custom color of the node.
• Delay Before (sec) - Waits in seconds before executing the node.
• Delay After (sec) - Waits in seconds after executing node.
• Continue On Error - Automation will continue regardless of any error. The default value is false.

info

If the ContinueOnError property is true, no error is caught when the project is executed, even if a Catch node is used.

Inputs

• Hash - The original hash value in hexadecimal format that was signed.
• Signature - The RSA signature in hexadecimal format to verify.
• Public Key - The RSA public key in PEM format used to verify the signature.

Options

• Hash Function - The cryptographic hash algorithm that was used for signing:
  • md5 - MD5
  • sha1 - SHA-1
  • sha256 - SHA-256 (recommended)
  • sha512 - SHA-512

Output

This node does not produce output variables. If verification succeeds, the flow continues normally. If verification fails, the node throws an error.

How It Works

The Verify node validates RSA digital signatures using public key cryptography:

1. Receives the original hash, signature, and public key
2. Decodes the public key from PEM format
3. Parses the PKIX public key structure
4. Validates it's an RSA public key
5. Decodes the signature from hexadecimal
6. Decodes the hash from hexadecimal
7. Uses the selected hash algorithm to verify the signature
8. Calls RSA PKCS#1 v1.5 verification
9. If verification succeeds, flow continues
10. If verification fails, throws an error

Verification confirms that:

• The signature was created by the holder of the matching private key
• The hash hasn't been modified since signing
• The data integrity is intact

Example Usage

Verify Document Signature

// Receive signed document
const document = "Important legal contract...";
const receivedSignature = "a1b2c3d4e5f6..."; // Signature from sender
const senderPublicKey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----`;

// 1. Calculate hash of received document
// Use Text Hash node with SHA-256
const documentHash = "{{msg.hash}}";

// 2. Verify signature
// Use Verify node
//   Hash: documentHash
//   Signature: receivedSignature
//   Public Key: senderPublicKey
//   Hash Function: sha256

// If node completes without error, signature is valid
console.log("Document signature verified - authentic and unmodified");

Verify API Response

// Verify signed API response
const apiResponse = {
  data: {status: "success", amount: 1000},
  signature: "abc123def456...",
  timestamp: 1642345678
};

const apiPublicKey = "{{vault.api_provider_public_key}}";

// 1. Calculate hash of response data
const responseData = JSON.stringify(apiResponse.data);
// Use Text Hash node with SHA-256
const dataHash = "{{msg.hash}}";

// 2. Verify signature
// Use Verify node
//   Hash: dataHash
//   Signature: apiResponse.signature
//   Public Key: apiPublicKey
//   Hash Function: sha256

// Signature valid - can trust the response

Verify Software Signature

// Verify downloaded software package
const downloadedFile = "/downloads/software-installer.exe";
const publisherSignature = "7f8e9d0c1b2a..."; // From publisher website
const publisherPublicKey = `-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----`;

// 1. Calculate file hash
// Use File Hash node with SHA-256
const fileHash = "{{msg.hash}}";

// 2. Verify signature
// Use Verify node
//   Hash: fileHash
//   Signature: publisherSignature
//   Public Key: publisherPublicKey
//   Hash Function: sha256

// Signature verified - software is authentic
console.log("Software signature verified - safe to install");

Verify Email Signature

// Verify signed email (DKIM-like)
const emailContent = "From: sender@example.com\n" +
                    "To: you@example.com\n" +
                    "Subject: Important\n\n" +
                    "Email body...";
const emailSignature = "{{msg.headers['X-Signature']}}";

// Get sender's public key (from DNS or key server)
const senderPublicKey = "{{lookup_public_key('sender@example.com')}}";

// 1. Hash email content
// Use Text Hash node
const contentHash = "{{msg.hash}}";

// 2. Verify signature
// Use Verify node with sender's public key

// Email signature verified - sender is authentic

Verify Multi-Party Signatures

// Verify multiple signatures on a contract
const contract = "Multi-party agreement...";
const signatures = {
  partyA: "a1b2c3...",
  partyB: "d4e5f6..."
};

// Calculate contract hash once
// Use Text Hash node
const contractHash = "{{msg.hash}}";

// Verify Party A signature
// Use Verify node
//   Hash: contractHash
//   Signature: signatures.partyA
//   Public Key: partyA_public_key
console.log("Party A signature verified");

// Verify Party B signature
// Use Verify node
//   Hash: contractHash
//   Signature: signatures.partyB
//   Public Key: partyB_public_key
console.log("Party B signature verified");

// All signatures valid - contract is binding

Verify with Timestamp Check

// Verify signature and timestamp to prevent replay
const signedData = {
  data: "Transaction data...",
  timestamp: 1642345678,
  signature: "abc123..."
};

const currentTime = Date.now();
const maxAge = 300000; // 5 minutes

// Check timestamp freshness
if (currentTime - signedData.timestamp > maxAge) {
  throw new Error("Signature expired - possible replay attack");
}

// Calculate hash including timestamp
const dataWithTimestamp = signedData.data + "|timestamp:" + signedData.timestamp;
// Use Text Hash node
const dataHash = "{{msg.hash}}";

// Verify signature
// Use Verify node
console.log("Signature verified and timestamp valid");

Requirements

• Valid RSA public key in PEM format (PKIX)
• Original hash in hexadecimal format
• Signature in hexadecimal format
• Hash function must match the one used for signing
• Public key must correspond to the private key used for signing

Error Handling

The node will throw errors in the following cases:

• Invalid public key PEM - Public key is not valid PEM format
• Invalid public key format - Not a valid PKIX public key
• Non-RSA key - Public key is not an RSA key
• Invalid signature format - Signature is not valid hexadecimal
• Invalid hash format - Hash is not valid hexadecimal
• Verification failed - Signature doesn't match (invalid or tampered data)
• Key mismatch - Public key doesn't match the private key used for signing

Security Best Practices

• Trust public keys - Only use public keys from trusted sources
• Verify key authenticity - Confirm public key belongs to claimed owner
• Use strong algorithms - Use SHA-256 or SHA-512, avoid MD5/SHA-1
• Check timestamps - Verify signature freshness to prevent replay attacks
• Validate data first - Check data format before verification
• Handle errors - Treat verification failures as security events
• Audit verifications - Log verification attempts for security monitoring
• Use key fingerprints - Verify public key fingerprints before first use
• Constant-time comparison - If comparing hashes, use constant-time comparison

Verification Process

Successful Verification

When verification succeeds:

1. Flow continues to next node
2. No output variables set
3. No errors thrown
4. Data is authenticated and unmodified

Failed Verification

When verification fails:

1. Node throws an error
2. Flow stops (unless Continue On Error is true)
3. Error indicates verification failure
4. Data should be rejected or flagged

Common Use Cases

• Document Authentication - Verify signed documents and contracts
• Software Verification - Verify software packages and updates
• API Response Validation - Verify responses from third-party APIs
• Email Verification - Verify email signatures (DKIM-like)
• Code Integrity - Verify code signatures before execution
• Blockchain Validation - Verify blockchain transaction signatures
• Certificate Validation - Verify digital certificate signatures
• Audit Trail - Verify signed audit log entries

Algorithm Selection

Must match the hash function used for signing:

SHA-256 (Most Common)

• Standard for most applications
• Good balance of security and compatibility
• Use when signer used SHA-256

SHA-512 (High Security)

• For high-security applications
• Use when signer used SHA-512

SHA-1 / MD5 (Legacy Only)

• Only for legacy system compatibility
• Not recommended for new implementations
• Use only when required by legacy signatures

Tips for Effective Use

• Always use the same hash function as the signer
• Store public keys securely but they don't need encryption
• Verify public key fingerprints on first use
• Implement error handling for verification failures
• Log all verification attempts for audit trails
• Check signature timestamp to prevent replay attacks
• Validate data format before verification
• Use Continue On Error carefully - usually you want to stop on failure
• Test verification with known good signatures

Public Key Management

// Store public keys in vault or database
const publicKeyStore = {
  "partner_a": "-----BEGIN PUBLIC KEY-----...",
  "partner_b": "-----BEGIN PUBLIC KEY-----...",
  "vendor_1": "-----BEGIN PUBLIC KEY-----..."
};

// Retrieve public key for verification
const senderId = "partner_a";
const senderPublicKey = publicKeyStore[senderId];

// Use Verify node with retrieved public key

Error Handling Example

// Proper error handling for verification
try {
  // Use Verify node (Continue On Error: false)

  // If we reach here, signature is valid
  console.log("Signature verified successfully");
  // Process the verified data

} catch (error) {
  // Verification failed
  console.log("Signature verification failed:", error.message);

  // Take appropriate action:
  // - Reject the data
  // - Alert security team
  // - Log the incident
  // - Request new signature
}

Integration with Sign Node

// Complete signing and verification workflow

// Sender side (uses Sign node)
const data = "Important message";
// Use Text Hash node
const dataHash = "{{msg.hash}}";
// Use Sign node with private key
const signature = "{{msg.signature}}";

// Send: {data: data, signature: signature}

// Receiver side (uses Verify node)
const received = {
  data: "Important message",
  signature: "abc123..."
};

// Calculate hash of received data
// Use Text Hash node
const receivedHash = "{{msg.hash}}";

// Verify signature
// Use Verify node
//   Hash: receivedHash
//   Signature: received.signature
//   Public Key: sender_public_key

// Signature verified - message is authentic

Performance Considerations

• RSA verification is faster than signing
• Verification time increases with key size
• 2048-bit: ~0.1-0.2ms per verification
• 4096-bit: ~0.3-0.5ms per verification
• Much faster than HMAC verification for large data
• Can verify multiple signatures in parallel

Troubleshooting

Verification Always Fails

• Hash function mismatch - Ensure same algorithm as signer
• Wrong public key - Verify public key matches signer's private key
• Data modified - Ensure exact same data as was signed
• Signature corrupted - Check signature wasn't truncated or modified
• Encoding issues - Verify hexadecimal encoding is correct

Invalid Public Key Errors

• PEM format - Ensure proper PEM headers and formatting
• Key type - Verify it's an RSA public key, not private key
• Encoding - Check for copy/paste errors or encoding issues

Performance Issues

• Large keys - Larger keys (4096-bit) are slower
• Many verifications - Process in parallel when possible

Related Nodes

• Sign - Create signatures that this node verifies
• HMAC Signature - Alternative symmetric authentication (faster)
• Text Hash - Calculate hashes before verification
• File Hash - Hash files before verification