E-InvoicingMalaysia
E-Invoicing Glossary

Digital Signature

A digital signature is a cryptographic mechanism that authenticates e-invoice documents in MyInvois, ensuring they have not been tampered with after submission.

What is Digital Signature?

A digital signature in the e-invoicing context is a cryptographic technique that uses public-key infrastructure (PKI) to prove the authenticity and integrity of an e-invoice document. Unlike a handwritten signature or a scanned image of a signature, a digital signature is mathematically bound to the document content — any change to the document after signing renders the signature invalid, providing tamper evidence. In Malaysia's MyInvois system, digital signatures are applied by LHDN to all validated invoices, creating an unforgeable official record.

How MyInvois uses digital signatures: when a business submits an invoice through the MyInvois API or portal, LHDN's system validates the document content against the UBL schema. Upon successful validation, LHDN applies its digital signature to the invoice using LHDN's private key. The resulting signed document — along with the UUID and QR code — is returned to the submitter. Anyone with LHDN's public key can verify this signature and confirm that the invoice was indeed validated by LHDN and has not been modified since.

Why digital signatures matter for businesses: the signed invoice is the definitive legal record of the transaction. In a tax audit or commercial dispute, a digitally signed MyInvois invoice has strong evidentiary value because it proves the document originated from LHDN's system (not a fabrication), the content has not been altered, and the validation occurred at a specific timestamp. Unsigned invoices — PDFs, paper documents, or self-generated files — cannot provide this level of assurance.

Business implications of the digital signature requirement: businesses do not typically need to create their own digital signatures when submitting to MyInvois — the signing is done by LHDN upon validation. However, businesses that use the Peppol network may need to sign documents with their own credentials before transmission, as the Peppol protocol requires sender-signed documents at certain transmission steps. Some advanced e-invoicing software implementations also apply a preliminary business signature before MyInvois submission as an additional layer of authenticity.

From a records management perspective, businesses should store the digitally signed invoice document (as returned by MyInvois, including the LHDN signature and UUID) rather than only the original unsigned UBL file they submitted. The LHDN-signed version is the authoritative record. Some e-invoicing software and cloud storage solutions automatically archive the signed versions of all submitted invoices, which simplifies the seven-year record retention requirement under the Income Tax Act.

Related Terms

MyInvoisQR Code VerificationMyInvois APIInvoice UUID (Unique Universal Identifier)

Frequently Asked Questions

Do I need to sign my own invoices before submitting to MyInvois?
For standard MyInvois portal or API submissions, you do not need to apply your own digital signature — LHDN signs the document after successful validation. The signature you receive back from MyInvois is LHDN's own signature on the validated invoice. However, if you use the Peppol network, your Peppol Access Point may apply an AS4 transmission signature at the network level, which is separate from the MyInvois validation signature. Your Access Point handles this automatically.
What algorithm does MyInvois use for digital signatures?
LHDN's MyInvois system applies digital signatures using RSA-SHA256 (RSA with SHA-256 hashing), which is the widely adopted standard for document signing in public sector applications. The signed document uses the XML-DSig (XML Digital Signature) standard for UBL XML documents. LHDN's public key certificate, needed to verify the signature, is published on the MyInvois developer portal. Developers building verification tools can use this public key to programmatically verify the authenticity of any LHDN-signed invoice.
Can invoices be forged?
Invoices that have been digitally signed by LHDN through MyInvois cannot be forged or altered without detection. The digital signature binds the signature to the exact document content — any modification breaks the signature. Additionally, the UUID embedded in the invoice can be looked up on LHDN's public verification portal, making it easy to confirm whether a given invoice is genuine. However, fraudulent parties could attempt to create fake invoices that have not gone through MyInvois at all — which is why buyers should always verify invoices by scanning the QR code or checking the UUID on LHDN's portal.
← Browse all 22 glossary termsUpdated 2026

Ready to implement e-invoicing?

Find certified MyInvois-compliant software or check your readiness with our free calculator.

Browse VendorsCheck My Readiness

EInvoicingMalaysia.com is an independent directory. We are not affiliated with LHDN or the Malaysian government. Glossary definitions are for informational purposes and do not constitute legal or tax advice. Always refer to the official LHDN e-Invoice Guidelines at hasil.gov.my for authoritative requirements.