signature.verify() Always returns False

Question

 public static void main(String[] args) {
    try{
        String mod = \"q0AwozeUj0VVkoksDQSCTj3QEgODomq4sAr02xMyIrWldZrNHhWfZAIcWt2MuAY3X6S3ZVUfOFXOrVbltRrO3F9Z6R8         


        

Answer 1

I think the problem is that you are not actually giving it a message to verify.

An RSA signature works by first hashing the message (that's the "SHA1" in "SHA1withRSA"), and then performing an trapdoor operation to it. This is an operation which is easy to do in one direction and hard in the other direction, unless you know some secret information (the RSA private key).

To verify, you first invert the mathematical transformation (because it's easy in one direction), and then compare the hash that is embedded in the signature with the hash of the message you just computed. The signature does not in itself contain the message; to verify a signature you need both the signature and the message that was signed.

At an API level, it looks like the Signature class is expecting you to call update with the contents of the message that this signature was for. Without this, it probably is comparing the hash with the hash of an empty string, so unless your originally signed message was also an empty string, the signature is in fact not valid.