AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-28 · Documentation low

File: cli/latest/reference/kms/verify.md

Summary

Added warning about double hashing in ED25519_PH_SHA_512 signing with DIGEST messages

Security assessment

Documents cryptographic behavior of a security feature (signing) to prevent implementation errors, but doesn't address a specific vulnerability. The warning helps avoid potential cryptographic misuse.

Diff

diff --git a/cli/latest/reference/kms/verify.md b/cli/latest/reference/kms/verify.md
index 57bc81dc3..e7068be91 100644
--- a//cli/latest/reference/kms/verify.md
+++ b//cli/latest/reference/kms/verify.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
@@ -172,0 +173,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/kms-20
+> 
+> ### Warning
+> 
+> When you specify the ED25519_PH_SHA_512 signing algorithm with `MessageType:DIGEST` , KMS still performs the SHA-512 prehash described in [Step 1 of Section 7.8.1 in FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf#page=39) . This means the input is hashed twice: once by you and once by KMS.
@@ -466 +470 @@ SigningAlgorithm -> (string)
-  * [AWS CLI 2.34.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.38 Command Reference](../../index.html) »