The signature base is the exact byte string that gets signed. For each covered component the
signer emits one canonical line — "name": value — in the chosen order, then a final
"@signature-params" line listing the covered components and metadata. Toggle components
below and watch the base assemble; the verifier rebuilds this identical string to check the
signature.
Order matters and is fixed by Signature-Input: the verifier reads the covered component
list and rebuilds the base in the same order. The trailing "@signature-params" line binds
the metadata (created, keyid, …) into the signature too. Try it with your own
request in the playground.