{"id":10594,"library":"browserify-sign","title":"Browserify Sign","description":"browserify-sign is a JavaScript library that provides browser-compatible implementations of Node.js's `crypto` module public key functions, specifically `createSign` and `createVerify`. This allows developers to use cryptographic signing and verification operations, typically involving RSA or DSA algorithms, directly in web browsers by bundling their code with Browserify. The current stable version is 4.2.5, last published approximately seven months ago (as of April 2026). The project maintains a sustainable release cadence with at least one new version released annually, primarily focusing on maintenance and security updates rather than active feature development. Its key differentiator is enabling Node.js-style crypto APIs in browser environments, making it crucial for projects requiring consistent cryptographic behavior across server and client-side JavaScript when using the Browserify bundling approach.","status":"maintenance","version":"4.2.5","language":"javascript","source_language":"en","source_url":"https://github.com/crypto-browserify/browserify-sign","tags":["javascript"],"install":[{"cmd":"npm install browserify-sign","lang":"bash","label":"npm"},{"cmd":"yarn add browserify-sign","lang":"bash","label":"yarn"},{"cmd":"pnpm add browserify-sign","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Big number arithmetic for cryptographic operations.","package":"bn.js"},{"reason":"RSA specific cryptographic primitives for browser environments.","package":"browserify-rsa"},{"reason":"Elliptic curve cryptography functionalities.","package":"elliptic"},{"reason":"ASN.1 parsing for key and certificate formats.","package":"parse-asn1"},{"reason":"Provides a Buffer API that is safe across Node.js versions.","package":"safe-buffer"}],"imports":[{"note":"This package is primarily CommonJS for use with Browserify. `Sign` is a constructor for creating signer instances.","wrong":"import { Sign } from 'browserify-sign';","symbol":"Sign","correct":"const { Sign } = require('browserify-sign');"},{"note":"`Verify` is a constructor for creating verifier instances, matching Node.js `crypto.createVerify` functionality.","wrong":"import Verify from 'browserify-sign/verify';","symbol":"Verify","correct":"const { Verify } = require('browserify-sign');"},{"note":"Directly requiring sub-paths like `algos` was a breaking change in v4.0.1 and is no longer the standard or supported API. Pass algorithm strings to `Sign` or `Verify` constructors.","wrong":"require('browserify-sign/algos')","symbol":"Specific Algorithms (deprecated)","correct":"/* Use Sign/Verify constructors with algorithm strings directly */"}],"quickstart":{"code":"const { Sign, Verify } = require('browserify-sign');\nconst crypto = require('crypto'); // Node.js 'crypto' for key generation (use pre-generated keys in browser)\n\n// In a browser environment, you would typically load pre-existing private and public keys.\n// For demonstration purposes, we generate them (requires Node.js crypto module).\n// NEVER hardcode keys in production.\nconst { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {\n  modulusLength: 2048,\n  publicKeyEncoding: { type: 'spki', format: 'pem' },\n  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }\n});\n\nconst data = 'This is the message to be signed.';\nconst algorithm = 'sha256'; // Hashing algorithm, e.g., 'sha256', 'rsa-sha256'\n\n// --- Signing Process ---\nconst signer = new Sign(algorithm);\nsigner.update(data);\nsigner.end(); // Indicate no more data will be written\n\n// The privateKey must be loaded securely.\nconst signature = signer.sign(privateKey, 'base64');\nconsole.log('Generated Signature:', signature);\n\n// --- Verification Process ---\nconst verifier = new Verify(algorithm);\nverifier.update(data);\nverifier.end(); // Indicate no more data will be written\n\n// The publicKey must be loaded securely.\nconst isVerified = verifier.verify(publicKey, signature, 'base64');\nconsole.log('Signature Verification Result:', isVerified);\n\nif (isVerified) {\n  console.log('The signature is valid for the data and public key.');\n} else {\n  console.error('The signature is NOT valid.');\n}","lang":"javascript","description":"Demonstrates how to use `browserify-sign` to sign data with a private key and verify it with a public key, mirroring Node.js crypto API. Key generation is shown using Node's native crypto, but in a browser, keys would be pre-loaded."},"warnings":[{"fix":"Avoid direct `require` calls to internal sub-paths like `/algos`. Instead, pass the algorithm string directly to the `Sign` or `Verify` constructor, e.g., `new Sign('SHA256')`.","message":"Version 4.0.1 introduced a breaking change by modifying the interface for `require('browserify-sign/algos')`. Projects relying on this direct sub-path access experienced failures.","severity":"breaking","affected_versions":"4.0.1"},{"fix":"Immediately upgrade to `browserify-sign` version 4.2.2 or higher to patch the DSA signature forgery vulnerability. Always keep cryptographic libraries updated.","message":"A critical vulnerability (CVE-2023-46234) involving an upper bound check issue in the `dsaVerify` function allowed attackers to construct DSA signatures that could be successfully verified by any public key, leading to signature forgery. This affects all instances performing DSA verification on user-supplied signatures.","severity":"breaking","affected_versions":"<4.2.2"},{"fix":"Ensure your project is set up to use Browserify for bundling browser-side code. If you require Node.js `crypto` in Node.js, use the built-in module. For modern browser-native crypto, consider Web Crypto API or modern bundlers with appropriate shims.","message":"This library is designed for use with Browserify to shim Node.js `crypto` functionality in browser environments. Directly importing or using it in a native Node.js environment or a modern ESM-first browser application without Browserify bundling will likely lead to module resolution errors or unexpected behavior.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure `browserify` is correctly configured to bundle your application and replace Node.js `crypto` with `browserify-sign` (often handled automatically by `crypto-browserify` which depends on `browserify-sign`). Run `browserify main.js -o bundle.js`.","cause":"Attempting to use `require('crypto')` in a browser environment without `browserify` configured to shim the `crypto` module or if `browserify-sign` is not properly integrated.","error":"Cannot find module 'crypto'"},{"fix":"Verify the algorithm string exactly matches one supported by the underlying crypto implementation (case-sensitive where relevant). Ensure private and public keys are correctly formatted PEM strings. Check the `CHANGELOG.md` or source for supported algorithms if issues persist.","cause":"Incorrect algorithm string provided (e.g., 'SHA256' instead of 'sha256' or 'RSA-SHA256'), or private/public key material is not in the expected PEM format or is corrupted. Also could be due to old OpenSSL versions not supporting certain schemes.","error":"`new Sign(algorithm)` or `new Verify(algorithm)` throws an error about unsupported algorithm or invalid key format."}],"ecosystem":"npm"}