RFC 6238 does not have specifications for digital signatures. The TOTP is generated on the HYPR-3 Token and is then encrypted with a key that is stored on the device at the time of provisioning.