A probabilistic digital signature scheme based on RSA.

It is more formally called RSASSA-PSS in Section 8.1 of RFC8017.

The following example shows how the sender can use its own private key (loaded from a file) to create the signature of a message:

>>> from Crypto.Signature import pss
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import RSA
>>> from Crypto import Random
>>> message = 'To be signed'
>>> key = RSA.import_key(open('privkey.der').read())
>>> h =
>>> signature =

At the receiver side, the matching public RSA key is used to verify authenticity of the incoming message:

>>> key = RSA.import_key(open('pubkey.der').read())
>>> h =
>>> verifier =
>>> try:
>>>     verifier.verify(h, signature):
>>>     print "The signature is authentic."
>>> except (ValueError, TypeError):
>>>     print "The signature is not authentic."
Crypto.Signature.pss.MGF1(mgfSeed, maskLen, hash_gen)

Mask Generation Function, described in B.2.1 of RFC8017.

  • mfgSeed (byte string) – seed from which the mask is generated
  • maskLen (integer) – intended length in bytes of the mask
  • hash_gen – A module or a hash object from Crypto.Hash

the mask, as a byte string

class Crypto.Signature.pss.PSS_SigScheme(key, mgfunc, saltLen, randfunc)

A signature object for RSASSA-PSS. Do not instantiate directly. Use


Return True if this object can be used to sign messages.


Create the PKCS#1 PSS signature of a message.

This function is also called RSASSA-PSS-SIGN and it is specified in section 8.1.1 of RFC8017.


msg_hash (hash object) – This is an object from the Crypto.Hash package. It has been used to digest the message to sign.


the signature encoded as a byte string.

  • ValueError – if the RSA key is not long enough for the given hash algorithm.
  • TypeError – if the RSA key has no private half.
verify(msg_hash, signature)

Check if the PKCS#1 PSS signature over a message is valid.

This function is also called RSASSA-PSS-VERIFY and it is specified in section 8.1.2 of RFC8037.

  • msg_hash – The hash that was carried out over the message. This is an object belonging to the Crypto.Hash module.
  • signature (byte string) – The signature that needs to be validated.

ValueError – if the signature is not valid., **kwargs)

Create a signature object for creating or verifying PKCS#1 PSS signatures.


rsa_key (RSA object) – The RSA key to use for signing or verifying the message. This is a Crypto.PublicKey.RSA object. Signing is only possible when rsa_key is a private RSA key.

Keyword Arguments:
  • mask_func (callable) – A mask generation function that accepts two parameters: a string to use as seed, and the length of the mask in bytes to generate. If not specified, the standard MGF1() is used.
  • salt_bytes (integer) – Length of the salt, in bytes. If not specified, it matches the output size of the hash function. If zero, the signature scheme becomes deterministic.
  • rand_func (callable) – A function that returns random byte string, given the desired length. The default is Crypto.Random.get_random_bytes().

a PSS_SigScheme signature object