ScriptSig

Unlocking code

Greg Walker
29 Oct 2023

Diagram showing the ScriptSig in an input unlocking the ScriptPubKey in the output from a previous transaction.

A ScriptSig provides the unlocking code for a previous output.

Each output in a transaction has a locking code (ScriptPubKey) placed on it. So when you come to select one as an input in a future transaction, you need to supply an unlocking code (ScriptSig) so that it can be spent. This locking/unlocking code uses a mini-programming language called Script.

The ScriptSig field is used to unlock legacy locking scripts such as P2PK, P2PKH, P2MS, P2SH (and other custom locking scripts). Newer segwit locking scripts such as P2WPKH and P2WSH are unlocked via the witness field.

Examples

What does a ScriptSig look like?

Here are some examples of what typical ScriptSigs look like.

They're almost always unique, but they have a similar structure depending on the type of locking script you're unlocking.

These are all actual examples, so you'll need to replace the public key and signatures if you're using them as templates in your own transactions.

P2PK (ScriptSig)

OP_PUSHBYTES_71
30440220576497b7e6f9b553c0aba0d8929432550e092db9c130aae37b84b545e7f4a36c022066cb982ed80608372c139d7bb9af335423d5280350fe3e06bd510e695480914f01

4730440220576497b7e6f9b553c0aba0d8929432550e092db9c130aae37b84b545e7f4a36c022066cb982ed80608372c139d7bb9af335423d5280350fe3e06bd510e695480914f01

Transaction: ea44e97271691990157559d0bdd9959e02790c34db6c006d779e82fa5aee708e (Input 0)

To unlock a P2PK locking script you only need to provide a single signature.

This is one of the simplest unlocking scripts. They are quite uncommon these days though and are mostly found when early coinbase transactions are being unlocked.

P2PKH (ScriptSig)

OP_PUSHBYTES_72
3045022100c233c3a8a510e03ad18b0a24694ef00c78101bfd5ac075b8c1037952ce26e91e02205aa5f8f88f29bb4ad5808ebc12abfd26bd791256f367b04c6d955f01f28a772401
OP_PUSHBYTES_33
03f0609c81a45f8cab67fc2d050c21b1acd3d37c7acfd54041be6601ab4cef4f31

483045022100c233c3a8a510e03ad18b0a24694ef00c78101bfd5ac075b8c1037952ce26e91e02205aa5f8f88f29bb4ad5808ebc12abfd26bd791256f367b04c6d955f01f28a7724012103f0609c81a45f8cab67fc2d050c21b1acd3d37c7acfd54041be6601ab4cef4f31

Transaction: 40e331b67c0fe7750bb3b1943b378bf702dce86124dc12fa5980f975db7ec930 (Input 0)

OP_PUSHBYTES_71
304402206dfb058ecbca366b72f61508c22f65c00c06dd7606ea5b3f38a512c0ef4d8819022055060ebaeb89c34c62e918d9c1e13d2dac577b21dd6abe514309d557e7eab79a01
OP_PUSHBYTES_65
04147c9684f526d6061e5bbf815e49adf1f3ad625a88f8103e9a2b7c49965e2d7ffae8345f424f7fa73ed85203611da2bfdfc3a7203ca8abb2534773fcb2c0454e

47304402206dfb058ecbca366b72f61508c22f65c00c06dd7606ea5b3f38a512c0ef4d8819022055060ebaeb89c34c62e918d9c1e13d2dac577b21dd6abe514309d557e7eab79a014104147c9684f526d6061e5bbf815e49adf1f3ad625a88f8103e9a2b7c49965e2d7ffae8345f424f7fa73ed85203611da2bfdfc3a7203ca8abb2534773fcb2c0454e

Transaction: bb420523868848e1b60ffe28a2f5a657e7db424e11aaacca19c992eb67805349 (Input 0)

To unlock a P2PKH locking script you need to provide a single signature along with a public key. The public key can either be a compressed public key (33 bytes) or an uncompressed public key (65 bytes).

This was one of the most common locking scripts inside the blockchain up until 2016. Since then P2WPKH locking scripts became more common; these work in the same way, but use the witness field for the locking code instead of the ScriptSig.

A P2PKH ScriptPubKey contains a public key hash, so the actual public key is revealed in the ScriptSig.

P2MS (ScriptSig)

OP_0
OP_PUSHBYTES_72
304502204aa764d2b30f572cc4ef17c8ed8536c46f595a08ba41a611b14f32c60282c150022100ede45011be565dc225cc9be292638cf7270b129934fe8758634716b8f7a34c0701

0048304502204aa764d2b30f572cc4ef17c8ed8536c46f595a08ba41a611b14f32c60282c150022100ede45011be565dc225cc9be292638cf7270b129934fe8758634716b8f7a34c0701

Transaction: 78b28d3c2324da8c2f01840021addbcabb68f7ce1d4da870cabe5e9df6afe63d (Input 0)

OP_0
OP_PUSHBYTES_72
3045022100af204ef91b8dba5884df50f87219ccef22014c21dd05aa44470d4ed800b7f6e40220428fe058684db1bb2bfb6061bff67048592c574effc217f0d150daedcf36787601
OP_PUSHBYTES_72
3045022100e8547aa2c2a2761a5a28806d3ae0d1bbf0aeff782f9081dfea67b86cacb321340220771a166929469c34959daf726a2ac0c253f9aff391e58a3c7cb46d8b7e0fdc4801

00483045022100af204ef91b8dba5884df50f87219ccef22014c21dd05aa44470d4ed800b7f6e40220428fe058684db1bb2bfb6061bff67048592c574effc217f0d150daedcf36787601483045022100e8547aa2c2a2761a5a28806d3ae0d1bbf0aeff782f9081dfea67b86cacb321340220771a166929469c34959daf726a2ac0c253f9aff391e58a3c7cb46d8b7e0fdc4801

Transaction: 949591ad468cef5c41656c0a502d9500671ee421fadb590fbc6373000039b693 (Input 0)

To unlock a P2MS locking script you need to provide multiple signatures to meet the requirements of the original locking script. These ScriptSigs usually contain between 1 and 3 signatures, although technically a P2MS ScriptSig could contain up to 20 signatures.

Raw P2MS ScriptSigs are quite rare though, as most P2MS locking scripts are wrapped inside a P2SH.

P2MS scripts have a bug where the OP_CHECKMULTISIG opcode pops one more element of the stack than it should do, which is why all P2MS ScriptSigs start with a redundant OP_0 (or something similar) at the start to counteract this.

P2SH (ScriptSig)

OP_0
OP_PUSHBYTES_71
3044022100d0ed946330182916da16a6149cd313a4b1a7b41591ee52fb3e79d64e36139d66021f6ccf173040ef24cb45c4db3e9c771c938a1ba2cf8d2404416f70886e360af401
OP_PUSHBYTES_71
5121022afc20bf379bc96a2f4e9e63ffceb8652b2b6a097f63fbee6ecec2a49a48010e2103a767c7221e9f15f870f1ad9311f5ab937d79fcaeee15bb2c722bca515581b4c052ae

00473044022100d0ed946330182916da16a6149cd313a4b1a7b41591ee52fb3e79d64e36139d66021f6ccf173040ef24cb45c4db3e9c771c938a1ba2cf8d2404416f70886e360af401475121022afc20bf379bc96a2f4e9e63ffceb8652b2b6a097f63fbee6ecec2a49a48010e2103a767c7221e9f15f870f1ad9311f5ab937d79fcaeee15bb2c722bca515581b4c052ae

Transaction: 30c239f3ae062c5f1151476005fd0057adfa6922de1b38d0f11eb657a8157b30 (Input 11)

P2SH locking scripts are a bit more complex than standard scripts.

The ScriptSig for a P2SH contains both the unlocking script and the locking script:

The last data push contains the locking script (known as the Redeem Script).
All the data pushes before it form the unlocking script.

So in the example above, the second data push is the Redeem Script containing a typical P2MS locking script, and the data push before it is the single signature required to satisfy that Redeem Script.

P2SH can be used to wrap various types of custom locking scripts, so there's no set template for how the ScriptSig should look (aside from the Redeem Script being the last data push). However, the majority of the time P2SH is used to wrap P2MS locking scripts, so most P2SH ScriptSigs will look similar to the example above.

Here's a non-standard script found inside a P2SH script:

OP_PUSHDATA2
4001
255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017f46dc93a6b67e013b029aaa1db2560b45ca67d688c7f84b8c4c791fe02b3df614f86db1690901c56b45c1530afedfb76038e972722fe7ad728f0e4904e046c230570fe9d41398abe12ef5bc942be33542a4802d98b5d70f2a332ec37fac3514e74ddc0f2cc1a874cd0c78305a21566461309789606bd0bf3f98cda8044629a1
OP_PUSHDATA2
4001
255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017346dc9166b67e118f029ab621b2560ff9ca67cca8c7f85ba84c79030c2b3de218f86db3a90901d5df45c14f26fedfb3dc38e96ac22fe7bd728f0e45bce046d23c570feb141398bb552ef5a0a82be331fea48037b8b5d71f0e332edf93ac3500eb4ddc0decc1a864790c782c76215660dd309791d06bd0af3f98cda4bc4629b1
OP_PUSHBYTES_8
6e879169a77ca787

4d4001255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017f46dc93a6b67e013b029aaa1db2560b45ca67d688c7f84b8c4c791fe02b3df614f86db1690901c56b45c1530afedfb76038e972722fe7ad728f0e4904e046c230570fe9d41398abe12ef5bc942be33542a4802d98b5d70f2a332ec37fac3514e74ddc0f2cc1a874cd0c78305a21566461309789606bd0bf3f98cda8044629a14d4001255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017346dc9166b67e118f029ab621b2560ff9ca67cca8c7f85ba84c79030c2b3de218f86db3a90901d5df45c14f26fedfb3dc38e96ac22fe7bd728f0e45bce046d23c570feb141398bb552ef5a0a82be331fea48037b8b5d71f0e332edf93ac3500eb4ddc0decc1a864790c782c76215660dd309791d06bd0af3f98cda4bc4629b1086e879169a77ca787

Transaction: 8d31992805518fd62daa3bdd2a5c4fd2cd3054c9b3dca1d78055e9528cff6adc (Input 4)

The last data push in this ScriptSig is a locking script that requires two separate pieces of data that have the same SHA-1 hash result (OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL). So the two data pushes at the start provide those two separate pieces of data that satisfy the locking script.

You can inspect the locking script inside a P2SH ScriptSig by decoding the final data push. For example, try decoding 6e879169a77ca787 using the tool below:

tool-662ccf20b6f42

You need JavaScript enabled for this tool to work, sorry.HTMX

Script

Decode and encode a script.

Hex

0 bytes ASM

Type

Address

0 characters

0 secs

Similar to P2PKH the P2SH locking script has now been superseded by P2WSH, which works in exactly the same way as P2SH but uses the witness field for the unlocking code rather than the ScriptSig.

A P2SH ScriptPubKey contains the Script Hash, so the ScriptSig is where the full Redeem Script is revealed.

Custom (ScriptSig)

OP_5 
OP_3

Transaction: 7afdcb9067f6549a569116a79cb1256920a0c566ff36cf4dce88718d57402f4f (Input 0)

Sometimes you'll find ScriptSigs unlocking custom scripts.

In the example above the original locking script was a simple math problem that asks for two numbers that add to equal 8, and where the second number is 2 less than the first (OP_2DUP OP_ADD OP_8 OP_EQUALVERIFY OP_SUB OP_2 OP_EQUAL).

These kinds of custom scripts are pretty rare though, as the majority of custom locking scripts are wrapped in a P2SH rather than being placed directly in the ScriptPubKey of an output (as these locking scripts are considered non-standard and do not get relayed by nodes, but they are valid and can still be mined in to the blockchain).

Terminology

What is it called a ScriptSig?

The ScriptSig contains Script, and it usually contains a signature, which is why it's called a "ScriptSig" for short.

A ScriptSig does not have to contain a signature though, but we still call it a ScriptSig anyway because that's the variable name Satoshi used in the original version of bitcoin, as outputs are primarily intended to be locked to someone else's public key and then unlocked with a corresponding digital signature.

But yes, it does make more sense to just think of the "ScriptSig" as the "unlocking code" field inside a raw transaction.

"ScriptSig", "scriptSig", and "scriptsig" are just different ways of writing the same thing. There's no official way of writing it, although the camel case variant with a lowercase letter for the first word ("scriptSig") is the way Satoshi wrote it and seems to be the most prevalent.

Coinbase

The input of a coinbase transaction does not actually reference any previous output that needs to be unlocked, so the ScriptSig is basically a "spare" field that miners can use to put any data they like in to it. The only restriction is that it must be between 2 and 100 bytes in size.

Miners often use the ScriptSig inside their coinbase transactions to add custom messages or some text to identify who mined the block. Take the genesis block for example:

OP_PUSHBYTES_4
ffff001d
OP_PUSHBYTES_1
04
OP_PUSHBYTES_69
5468652054696d65732030332f4a616e2f32303039204368616e63656c6c6f72206f6e206272696e6b206f66207365636f6e64206261696c6f757420666f722062616e6b73

04ffff001d0104455468652054696d65732030332f4a616e2f32303039204368616e63656c6c6f72206f6e206272696e6b206f66207365636f6e64206261696c6f757420666f722062616e6b73

Transaction: 4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b (Input 0)

If you convert that last data push from hex bytes to ASCII you get: The Times 03/Jan/2009 Chancellor on brink of second bailout for banks

ASCII

Here are a few more examples of messages found inside the ScriptSig of coinbase transactions:

"I'm eating a big juicy hamburger"
- ff82a8ea1febad747370f08afb1ade5e30abf4c95373e347fd40351806ef498a (Block 142,815)
Mined by AntPool usa24 For my Love of Karen Morales.
- cf70a1c146fcfb9fb90262de44d5222e6710600949c74cdc729bde4e9635f507 (Block 366,263)
Bitcoin is the new safe haven.
- 940022a147a4129aa305de26c22ff0c00a633e1cb28a7979adc6ebe250041d84 (Block 368,472)

Check out bitcoinstrings.com for more examples.

BIP 34: Since block height 227,836 miners are required to place the current block height at the start of the ScriptSig in coinbase transactions.

The fact that miners are free to place any data they like the ScriptSig means it can also be used as an ExtraNonce.