3.1.7.1.4 Signing the Packet
If Message.AuthenticationLevel is not None, the packet MUST be signed. The following steps MUST be performed to sign the packet:
If Message.DestinationMultiQueueFormatName is set:
The protocol MUST compute a hash of the fields specified in [MS-MQMQ] section 2.5.3 for an MSMQ 3.0 digital signature, using the hash algorithm specified by the UserMessage.MessagePropertiesHeader.HashAlgorithm field.
The UserMessage.MultiQueueFormatHeader.Signature field MUST be set to the value of the hash encrypted using RSA and the sender private key.
Otherwise:
The protocol MUST compute a hash of the fields specified in [MS-MQMQ] section 2.5 for the MSMQ digital signature type indicated by the value of the AuthenticationLevel ADM attribute of the Message ([MS-MQDMPR] section 3.1.1.12) ADM element, using the hash algorithm specified by the UserMessage.MessagePropertiesHeader.HashAlgorithm field.
The UserMessage.SecurityHeader.SecurityData.Signature field MUST be set to the value of the hash encrypted using RSA and the sender private key.