Verifying the signature
After receiving the character string of the response or notification from Alipay system, similar to the steps taken in Signing the data, append the MD5 secret key to the character string to generate a new string. Then, calculate this new string with the MD5 signature algorithm. After the 32-byte signature result string is generated, verify whether the value is equal to the value passed in the sign parameter. If Yes, the verification is passed.
After receiving a response or notification, perform the following steps to verify the signature:
- Generate the pre-sign string as described in Generating Pre-sign String.
- Use the RSA/DSA algorithm to calculate a message digest.
- Use the RSA/DSA public key to de-sign the signature (the value of the sign field) to a message digest.
- Compare the two message digests obtained in step 2 and step 3. If the digests are the same, then it indicates that the signed data has not been changed.