Skip to content

What are signatures?

Introduction

Signatures are another means of security Roblox uses to prevent any unauthorized tampering with external requests from Roblox Servers.

Traditionally, signatures are, as the name suggests, a method to determine the actual author/sender of an article.

In today's world, digital signatures are analogous (to traditional signatures) — They utilize mathematical algorithms to validate the authenticity of data.1

This graph demonstrates the signing process conceptionally:2

flowchart LR
    id1[(Data)]-->id2[Sign]---id3>Private Key]
    id2-->id7[(Signed Data)]-->id5
    id6>Public Key]---id5[Verify]-->id4[(Data)]

Client Signatures

Roblox uses (and used) signatures for a multitude of things including but not limited to:

  • JoinScripts
  • Online CoreScripts (2010-2014)[Citation needed]
  • BuiltInPlugins3

Specification

Roblox uses the RSA algorithm (1024-bits) with X509 and PKCS7 encoding.

Signature wrappers have differed between the years but here are the primary forms:

  • %DATA% (2010-2013)
  • --rbxsig%DATA% (2013-2020)
  • --rbxsig2%DATA% (Since 2018)
  • --rbxsig4%DATA% (Since 2020)

(DATA refers to the actual signature)

See Also:


  1. More Information: https://www.cisa.gov/uscert/ncas/tips/ST04-018 

  2. Signed data goes from server to client then which the client verifies it. 

  3. Signed BuiltInPlugins were introduced in late 2019 in the form of *.sig files