How do our Digital Signatures work?

What is a Digital Signature?

A digital signature is a type of electronic signature created using asymmetric or public key cryptography. Unlike traditional signatures, digital signatures are not directly visible on electronic records (e.g. a PDF of the contract). Instead, a cryptographic hash is embedded within the record itself. However, a visual representation is often included when the record is printed.

Digital signatures ensure the integrity of an electronic record. If the record is altered or tampered with in any way, the digital signature becomes invalid because the cryptographic integrity is compromised. Conversely, if the record remains unchanged, the signature remains valid.

The integrity of digital signatures can easily be verified via standard PDF document readers, which will check that the document has not been modified since it was signed. Find out more about verifying digital signatures made with Sign here.

Digital signatures

Other types of electronic signatures

• Attaching a digital image of a handwritten signature to an electronic document.

• Using a finger or stylus to draw a signature on a touchscreen.

• Typing a name at the end of an electronic document.

• Selecting an "I agree" checkbox.

Digital Signatures under Singapore law: OES vs SES

In Singapore, digital signatures may either be regarded as ordinary electronic signatures (OES) or secure electronic signatures (SES).

One of the ways for a digital signature to be considered an SES is if it fulfils the following criteria to be:

• unique to the person using it;

• capable of identifying such person;

• created in a manner or using a means under the sole control of the person using it; and

• linked to the electronic record to which it relates in a manner such that if the record was changed the electronic signature would be invalidated (i.e. tamper-proof).

Alternatively, a digital signature can be considered SES if the certificate used to create it was issued by a public agency approved by the Minister to act as a Certification Authority.

✅ Signatures created through Sign are regarded as Secure Electronic Signatures under the Electronics Transaction Act 2010 (ETA) as they meet both of the methods listed above.

❌ All other electronic or digital signatures that do not meet the criteria to be an SES prescribed under the ETA are considered OES. This is because the process of signing is less secure, which may make establishing the authenticity of the signature difficult in the future. For example, an impersonator might mimic the declarant by placing an image of their signature that they obtained from some other source, or by typing their name on a statutory declaration. Detecting such impersonation can be difficult for the person requesting the signature, especially if it is their first time meeting the person, or if the signing is done remotely (e.g. via email, online platforms, etc).

How does Sign create SES-eligible signatures?

Sign with Singpass signatures use Public-Key Infrastructure (PKI).

Public Key Infrastructure (PKI) involves the use of a pair of cryptographic keys: a private key (kept secret by the signer, on the Singpass app) and a public key (embedded in the Singpass signing certificate). The private key is used to create a digital signature, which is a unique encrypted code tied to the document. The public key can be used by the recipient of the document to verify the authenticity of the digital signature. GovTech issues the Singpass signing certificate, which ties the identity of the signer to the public key.

This process ensures that only the holder of the private key is able to sign the document.