A probabilistic digital signature scheme based on RSA.

It is more formally called RSASSA-PSS in Section 8.1 of RFC8017.

The following example shows how the sender can use its own private key (loaded from a file) to create the signature of a message:

>>> from Crypto.Signature import pss
>>> from Crypto.Hash import SHA256
>>> from Crypto.PublicKey import RSA
>>> from Crypto import Random
>>> message = 'To be signed'
>>> key = RSA.import_key(open('privkey.der').read())
>>> h =
>>> signature =

At the receiver side, the matching public RSA key is used to verify authenticity of the incoming message:

>>> key = RSA.import_key(open('pubkey.der').read())
>>> h =
>>> verifier =
>>> try:
>>>     verifier.verify(h, signature)
>>>     print "The signature is authentic."
>>> except (ValueError, TypeError):
>>>     print "The signature is not authentic."
Crypto.Signature.pss.MGF1(mgfSeed, maskLen, hash_gen)

Mask Generation Function, described in B.2.1 of RFC8017.

  • mfgSeed (byte string) – seed from which the mask is generated
  • maskLen (integer) – intended length in bytes of the mask
  • hash_gen – A module or a hash object from Crypto.Hash

the mask, as a byte string

class Crypto.Signature.pss.PSS_SigScheme(key, mgfunc, saltLen, randfunc)

A signature object for RSASSA-PSS. Do not instantiate directly. Use


Return True if this object can be used to sign messages.


Create the PKCS#1 PSS signature of a message.

This function is also called RSASSA-PSS-SIGN and it is specified in section 8.1.1 of RFC8017.


msg_hash (hash object) – This is an object from the Crypto.Hash package. It has been used to digest the message to sign.


the signature encoded as a byte string.

  • ValueError – if the RSA key is not long enough for the given hash algorithm.
  • TypeError – if the RSA key has no private half.
verify(msg_hash, signature)

Check if the PKCS#1 PSS signature over a message is valid.

This function is also called RSASSA-PSS-VERIFY and it is specified in section 8.1.2 of RFC8037.

  • msg_hash – The hash that was carried out over the message. This is an object belonging to the Crypto.Hash module.
  • signature (bytes) – The signature that needs to be validated.

ValueError – if the signature is not valid., **kwargs)

Create an object for making or verifying PKCS#1 PSS signatures.


rsa_key (RSA object) – The RSA key to use for signing or verifying the message. This is a Crypto.PublicKey.RSA object. Signing is only possible when rsa_key is a private RSA key.

Keyword Arguments:
  • mask_func (callable) – A mask generation function that accepts two parameters: bytes to use as seed, and the amount of bytes to return (i.e. the mask). If not specified, the standard MGF1() function is used, based on the same hash algorithm applied to the message.
  • salt_bytes (integer) – Length of the salt, in bytes. If not specified, it matches the digest of the hash algorithm applied to the message. If zero, the signature scheme becomes deterministic.
  • rand_func (callable) – A function that returns random bytes, of the desired length. The default is Crypto.Random.get_random_bytes().

a PSS_SigScheme signature object