MAVLink 2 signing appends a 13-byte signature to a packet: 1 byte link ID, 6 bytes timestamp (10 µs resolution since 1 Jan 2015), and 6 bytes of a SHA-256 HMAC truncated to 48 bits.
text
Signature structure (13 bytes) ──────────────────────────────────────────── Byte Field Size Description ───── ────────── ───── ───────────────────────────── 0 Link ID 1 Identifies the logical link 1-6 Timestamp 6 µs / 10 since 1 Jan 2015 UTC 7-12 Signature 6 Truncated SHA-256 HMAC
The secret key (32 bytes) is shared out-of-band between trusted participants. The HMAC input is: secret_key + header + payload + CRC + link_id + timestamp. A receiver rejects packets with timestamps older than the last accepted timestamp for that (sysid, compid, link_id) tuple — this is replay protection.
Limitations
Signing provides authentication, not encryption. Payloads are still readable on the wire. It also adds 13 bytes per packet, which matters on bandwidth-constrained links. Some messages (e.g. RADIO_STATUS) may be configured as unsigned even on signed channels.