AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-28 · Documentation low

File: cli/latest/reference/kms/sign.md

Summary

Added warning about double hashing in ED25519_PH_SHA_512 algorithm usage

Security assessment

Added cryptographic implementation detail warning about double hashing. This documents a security-relevant behavior to prevent misuse, but doesn't indicate a vulnerability fix. The warning helps users avoid unintended cryptographic consequences.

Diff

diff --git a/cli/latest/reference/kms/sign.md b/cli/latest/reference/kms/sign.md
index d1d91b0f0..209e27395 100644
--- a//cli/latest/reference/kms/sign.md
+++ b//cli/latest/reference/kms/sign.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
@@ -181,0 +182,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+> 
+> ### Warning
+> 
+> When you specify the ED25519_PH_SHA_512 signing algorithm with `MessageType:DIGEST` , KMS still performs the SHA-512 prehash described in [Step 1 of Section 7.8.1 in FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39) . This means the input is hashed twice: once by you and once by KMS.
@@ -503 +507 @@ SigningAlgorithm -> (string)
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »