Signature objects are container objects containing an encoded payload and signature data. This object is essentially a JWS (JSON Web Signature) object. The data being signed (in JWS this is called the "payload") is the string representation of a container.
The JWS payload (or simply payload) is an encoded representation of another container object.
Specifically, the payload is the output of the following function:
BASE64URL(UTF8(JSON.stringify(SDMP Container)))
The child container is converted to a string, then UTF-8 encoded, and then base64url encoded.
The signature object may be referenced elsewhere by the identifier, which is the output of the hashing algorithm applied to the payload, whose bytes have been base64url encoded.
Specifically, the identifier is the output of the following function:
HASH(BASE64URL(UTF8(JSON.stringify(SDMP Container))))
This object holds a signed string, which is the string representation of a valid container object.
This object contains the following properties:
Holds the signature object properties.
This contains the following reserved properties:
(string, required)
The identifier of the payload.
(string, required)
The resource payload string.
(array of objects, required)
Each object of this array must be a JWS signature object.
Note that, unlike the JWS specifications, JWS objects containing a single signature must still use this array.
(string, required)
Valid JWS protected headers for this signature. (Protected headers are headers which have been base64url encoded.)
The SDMP requires the following header values, and does not allow additional values:
: Must be exactlyHS512
: The key fingerprint of the user or node which generated this signature.
For example, if the key fingerprint of the node generating the signature is:
Than the header object would look like (newlines added for readability only):
"alg": "HS512",
"kid": "GlvAreTo0lCSyum7Wzh8pzhxYOOu-gMIgO2N95AAwAGP6-nR8xCvWvIW0t9rF_ZZfpCY_fDV38JDFKaOU91A8Q"
And the protected header string would be:
(string, required)
A valid JWS signature. This is the HMAC SHA-512 hash, with the bytes base64url encoded, having been generated using the key of the user or node signing the payload.
"$schema": "",
"type": "object",
"properties": {
"signature": {
"type": "object",
"properties": {
"identifier": {
"type": "string"
"payload": {
"type": "string"
"signatures": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protected": {
"type": "string"
"signature": {
"type": "string"
"required": [ "protected", "signature" ]
"required": [ "identifier", "payload", "signatures" ]
"required": [ "signature" ]