[busymom0]

This is why, in one of my projects, I first stringified the JSON using built in JSON.stringify(your_json) function, then signed that string and sent the string, its signature, and public key to server. Server verifies the signature using the string and if passes, then uses JSON.parse(your_string) to get the original json.

[askvictor]

The problem is the following two lines produce different outputs, despite having content that means the same thing:

    console.log(JSON.stringify({ x: 5, y: 6 }));
    console.log(JSON.stringify({ y: 6, x: 5 }));

[busymom0]

I think the relevance of order is allowed to be up to each software's implementation:

https://datatracker.ietf.org/doc/html/rfc8259

Says:

> JSON parsing libraries have been observed to differ as to whether or not they make the ordering of object members visible to calling software. Implementations whose behavior does not depend on member ordering will be interoperable in the sense that they will not be affected by these differences.

So, different signature makes sense. But it should not be an issue as long as both software are calculating/validating the signature on the string and not json.

[heinrich5991]

Usually, this is not a problem for signing.

[askvictor]

Depends on your use case. We have this problem currently where I work.