This package is abandoned and no longer maintained. The author suggests using the robrichards/xmlseclibs package instead.

Sign XML Documents with Digital Signatures

2.4.0 2022-01-04 10:45 UTC

This package is auto-updated.

Last update: 2022-11-28 20:59:24 UTC


Latest Version on Packagist Software License Build Status Coverage Status Quality Score Total Downloads


  • Sign XML Documents with Digital Signatures (XMLDSIG)
  • Verify the Digital Signatures of XML Documents


  • PHP 8.0+
  • The openssl extension
  • A X.509 digital certificate


composer require selective/xmldsig


Sign XML Document with Digital Signature

Input file: example.xml

<?xml version="1.0"?>
use Selective\XmlDSig\DigestAlgorithmType;
use Selective\XmlDSig\XmlSigner;

$xmlSigner = new XmlSigner();

// Load a pfx file
$xmlSigner->loadPfxFile('filename.pfx', 'password');

// or load pfx from a string
$xmlSigner->loadPfx('pfx content', 'password');

// or load a PEM file
$xmlSigner->loadPrivateKeyFile('filename.pem', 'password');

// or load a PEM private key from a string
$xmlSigner->loadPrivateKey('private key content', 'password');

// Optional: Set reference URI

// Create a signed file
$xmlSigner->signXmlFile('example.xml', 'signed-example.xml', DigestAlgorithmType::SHA512);

Output file: signed-example.xml

<?xml version="1.0"?>
    <Signature xmlns="">
            <CanonicalizationMethod Algorithm=""/>
            <SignatureMethod Algorithm=""/>
            <Reference URI="">
                    <Transform Algorithm=""/>
                <DigestMethod Algorithm=""/>

Verify the Digital Signatures of XML Documents

use Selective\XmlDSig\XmlSignatureValidator;

// Create a validator instance
$signatureValidator = new XmlSignatureValidator();

// Create a validator instance that does not remove redundant white spaces
$signatureValidator = new XmlSignatureValidator(false);
// Load a PFX file
$signatureValidator->loadPfxFile('filename.pfx', 'password');

// or load just a public key file from a string
$signatureValidator->loadPfx('public key content', 'password');

// or load a public key file (without password)

// or load the public key from a string (without password)
$signatureValidator->loadPublicKey('public key content');
// Verify a XML file
$isValid = $signatureValidator->verifyXmlFile('signed-example.xml');

// or verify XML from a string
$isValid = $signatureValidator->verifyXml('xml content');

if ($isValid === true) {
    echo 'The XML signature is valid.';
} else {
    echo 'The XML signature is not valid.';

Online XML Digital Signature Verifier

Try these excellent online tools to verify XML signatures:

Similar libraries


The MIT License (MIT). Please see License File for more information.