3.2.4.1.1 Signing the Message
The client MUST sign the message if one of the following conditions is TRUE:
If Connection.Dialect is equal to "2.0.2" or "2.1", the message being sent contains a nonzero value in the SessionId field and the session identified by the SessionId has Session.SigningRequired equal to TRUE.
If Connection.Dialect belongs to 3.x dialect family, the message being sent contains a nonzero value in the SessionId field and one of the following conditions is TRUE:
The session identified by SessionId has Session.EncryptData equal to FALSE.
The tree connection identified by the TreeId field has TreeConnect.EncryptData equal to FALSE.
If Session.SigningRequired is FALSE, the client MAY<108> sign the request.
If the client implements the SMB 3.x dialect family, and if the request is for session set up, the client MUST use Session.SigningKey, and for all other requests the client MUST provide Channel.SigningKey by looking up the Channel in Session.ChannelList, where the connection matches the Channel.Connection. Otherwise, the client MUST use Session.SessionKey for signing the request. The client provides the key for signing, the length of the request, and the request itself, and calculates the signature as specified in section 3.1.4.1. If the client signs the request, it MUST set the SMB2_FLAGS_SIGNED bit in the Flags field of the SMB2 header. If the client encrypts the message, as specified in section 3.1.4.3, then the client MUST set the Signature field of the SMB2 header to zero.