Signatures

Signatures are found in many scripts and files used by Roblox. Originally introduced in 2009^[a], nowadays it is primarily used by the client to verify the authenticity of join scripts, CoreScripts, and other trusted scripts, as well as by the server to properly authenticate clients. Roblox uses the RSA public-key cryptosystem in order to both verify and sign messages.

Signatures are Base64 encoded and surrounded by percentage signs (an example would be %AQIDBA==%). However, since around version 0.116 (dated 8/14/2013) signatures must be prepended with --rbxsig^[b] in order to be parsed correctly. In certain Roblox versions, scripts require the asset ID appended to the signature. The asset ID must also be formatted in the same way as signatures are, surrounded by percentage signs; thus an example full signature for a script of asset ID 1234 would be %AQIDBA==%%1234%.

Roblox uses the RSA cryptosystem in an idiosyncratic way. Some key things to note are;

The size of the keypair must be 1024 bits.
Roblox uses the Microsoft Cryptographic API (CAPI) to verify messages on the client; thus, the public key is not stored within the client as a PEM-equivalent format and rather as a Base64 encoded CAPI blob^[c]. Such blobs may be generated with tools such as @orcfoss/Roblox.Tools.
Roblox uses the SHA-1 hashing algorithm to hash messages before signing them^[d].

References

Footnotes

↑ The first known Roblox client version to have signature verification was 0.13.17.0 (dated 5/5/2009).
↑ Newer versions of Roblox have rbxsig2 and rbxsig4 in order to remain backwards compatible with older scripts, as they have since changed their RSA keypair. However, the algorithm remains more or less the same, with the only exceptions being a newer hashing algorithm used and storing the key differently within the client.
↑ Before 2018, Roblox's public key blob (as Base64) has been BgIAAACkAABSU0ExAAQAAAEAAQCjbUyx9OXTBcWEAonZOfAoT7YhMS+L21WwAZlsEjvzHXQpulpasNFhC1U6tBX6c8Qey2fiRBXHpqbh7vAC7u2niT6dMLLqY9UzII0jyxKD/EUODcQHTKpbM18FRobqLcvK0DNdIaHwypr7NRnSWk4NXhtM0v40W7/mr35PxbJ8rQ==.
↑ The SHA-1 hashing algorithm is insecure and is dangerous to use in production.^[1] You can easily hook signature verification within the client using tools such as @orcfoss/Lure in order to achieve signatures that utilize newer hashing algorithms, such as SHA-256.

Citations

↑ "SHA-1 Collision Attacks Are Now Actually Practical and a Looming Danger." ZDNET. www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

[1] The first known Roblox client version to have signature verification was 0.13.17.0 (dated 5/5/2009).

[2] Newer versions of Roblox have rbxsig2 and rbxsig4 in order to remain backwards compatible with older scripts, as they have since changed their RSA keypair. However, the algorithm remains more or less the same, with the only exceptions being a newer hashing algorithm used and storing the key differently within the client.

[3] Before 2018, Roblox's public key blob (as Base64) has been BgIAAACkAABSU0ExAAQAAAEAAQCjbUyx9OXTBcWEAonZOfAoT7YhMS+L21WwAZlsEjvzHXQpulpasNFhC1U6tBX6c8Qey2fiRBXHpqbh7vAC7u2niT6dMLLqY9UzII0jyxKD/EUODcQHTKpbM18FRobqLcvK0DNdIaHwypr7NRnSWk4NXhtM0v40W7/mr35PxbJ8rQ==.

[5] The SHA-1 hashing algorithm is insecure and is dangerous to use in production.^[1] You can easily hook signature verification within the client using tools such as @orcfoss/Lure in order to achieve signatures that utilize newer hashing algorithms, such as SHA-256.

[4] "SHA-1 Collision Attacks Are Now Actually Practical and a Looming Danger." ZDNET. www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

[a]

[b]

[c]

[d]

[1]

Signatures

References

Footnotes

Citations

Navigation menu

Search