diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index 3a26cfbdcab52e..6baf3dfa7483b4 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -3783,6 +3783,35 @@ bool EVPKeyCtxPointer::setSignatureMd(const EVPMDCtxPointer& md) {
          1;
 }
 
+bool EVPKeyCtxPointer::setSignatureMd(const Digest& md) {
+  if (!ctx_ || !md) return false;
+  return EVP_PKEY_CTX_set_signature_md(ctx_.get(), md.get()) == 1;
+}
+
+#if OPENSSL_VERSION_MAJOR >= 3
+int EVPKeyCtxPointer::initForSignEx(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_sign_init_ex(ctx_.get(), params);
+}
+
+int EVPKeyCtxPointer::initForVerifyEx(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_verify_init_ex(ctx_.get(), params);
+}
+#endif
+
+#ifdef OSSL_SIGNATURE_PARAM_MU
+int EVPKeyCtxPointer::initForSignMessage(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_sign_message_init(ctx_.get(), nullptr, params);
+}
+
+int EVPKeyCtxPointer::initForVerifyMessage(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_verify_message_init(ctx_.get(), nullptr, params);
+}
+#endif
+
 bool EVPKeyCtxPointer::initForEncrypt() {
   if (!ctx_) return false;
   return EVP_PKEY_encrypt_init(ctx_.get()) == 1;
@@ -4321,6 +4350,27 @@ std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::signInitWithContext(
 #ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
   EVP_PKEY_CTX* ctx = nullptr;
 
+#ifdef OSSL_SIGNATURE_PARAM_INSTANCE
+  // Ed25519ctx requires the INSTANCE param to enable context string support.
+  // Ed25519 pure mode ignores context strings without this.
+  if (key.id() == EVP_PKEY_ED25519) {
+    const OSSL_PARAM params[] = {
+        OSSL_PARAM_construct_utf8_string(
+            OSSL_SIGNATURE_PARAM_INSTANCE, const_cast<char*>("Ed25519ctx"), 0),
+        OSSL_PARAM_construct_octet_string(
+            OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+            const_cast<unsigned char*>(context_string.data),
+            context_string.len),
+        OSSL_PARAM_END};
+
+    if (!EVP_DigestSignInit_ex(
+            ctx_.get(), &ctx, nullptr, nullptr, nullptr, key.get(), params)) {
+      return std::nullopt;
+    }
+    return ctx;
+  }
+#endif  // OSSL_SIGNATURE_PARAM_INSTANCE
+
   const OSSL_PARAM params[] = {
       OSSL_PARAM_construct_octet_string(
           OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
@@ -4345,6 +4395,27 @@ std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInitWithContext(
 #ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
   EVP_PKEY_CTX* ctx = nullptr;
 
+#ifdef OSSL_SIGNATURE_PARAM_INSTANCE
+  // Ed25519ctx requires the INSTANCE param to enable context string support.
+  // Ed25519 pure mode ignores context strings without this.
+  if (key.id() == EVP_PKEY_ED25519) {
+    const OSSL_PARAM params[] = {
+        OSSL_PARAM_construct_utf8_string(
+            OSSL_SIGNATURE_PARAM_INSTANCE, const_cast<char*>("Ed25519ctx"), 0),
+        OSSL_PARAM_construct_octet_string(
+            OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+            const_cast<unsigned char*>(context_string.data),
+            context_string.len),
+        OSSL_PARAM_END};
+
+    if (!EVP_DigestVerifyInit_ex(
+            ctx_.get(), &ctx, nullptr, nullptr, nullptr, key.get(), params)) {
+      return std::nullopt;
+    }
+    return ctx;
+  }
+#endif  // OSSL_SIGNATURE_PARAM_INSTANCE
+
   const OSSL_PARAM params[] = {
       OSSL_PARAM_construct_octet_string(
           OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
index 5ffaee379e481a..a10cb7f6843616 100644
--- a/deps/ncrypto/ncrypto.h
+++ b/deps/ncrypto/ncrypto.h
@@ -798,6 +798,7 @@ class EVPKeyCtxPointer final {
   bool setRsaOaepLabel(DataPointer&& data);
 
   bool setSignatureMd(const EVPMDCtxPointer& md);
+  bool setSignatureMd(const Digest& md);
 
   bool publicCheck() const;
   bool privateCheck() const;
@@ -821,6 +822,14 @@ class EVPKeyCtxPointer final {
   bool initForKeygen();
   int initForVerify();
   int initForSign();
+#if OPENSSL_VERSION_MAJOR >= 3
+  int initForVerifyEx(const OSSL_PARAM params[]);
+  int initForSignEx(const OSSL_PARAM params[]);
+#endif
+#ifdef OSSL_SIGNATURE_PARAM_MU
+  int initForSignMessage(const OSSL_PARAM params[]);
+  int initForVerifyMessage(const OSSL_PARAM params[]);
+#endif
 
   static EVPKeyCtxPointer New(const EVPKeyPointer& key);
   static EVPKeyCtxPointer NewFromID(int id);
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index acde45c346c84e..3e743615085fd6 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -5745,6 +5745,9 @@ Throws an error if FIPS mode is not available.
 <!-- YAML
 added: v12.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62345
+    description: Add support for Ed25519 context parameter.
   - version: v24.8.0
     pr-url: https://github.com/nodejs/node/pull/59570
     description: Add support for ML-DSA, Ed448, and SLH-DSA context parameter.
@@ -5808,12 +5811,71 @@ additional properties can be passed:
   `crypto.constants.RSA_PSS_SALTLEN_DIGEST` sets the salt length to the digest
   size, `crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN` (default) sets it to the
   maximum permissible value.
-* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed448, ML-DSA, and SLH-DSA,
+* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519, Ed448, ML-DSA, and SLH-DSA,
   this option specifies the optional context to differentiate signatures generated
   for different purposes with the same key.
 
 If the `callback` function is provided this function uses libuv's threadpool.
 
+### `crypto.signDigest(algorithm, digest, key[, callback])`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+<!--lint disable maximum-line-length remark-lint-->
+
+* `algorithm` {string | null | undefined}
+* `digest` {ArrayBuffer|Buffer|TypedArray|DataView}
+* `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
+* `callback` {Function}
+  * `err` {Error}
+  * `signature` {Buffer}
+* Returns: {Buffer} if the `callback` function is not provided.
+
+<!--lint enable maximum-line-length remark-lint-->
+
+Calculates and returns the signature for `digest` using the given private key
+and algorithm. Unlike [`crypto.sign()`][], this function does not hash the data
+internally — `digest` is expected to be a pre-computed hash digest.
+
+The interpretation of `algorithm` and `digest` depends on the key type:
+
+* RSA, ECDSA, DSA: `algorithm` identifies the hash function used to create
+  `digest`.
+* Ed25519, Ed448: `algorithm` must be `null` or `undefined`. `digest` must
+  be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
+  SHAKE256 with 64-byte output for Ed448ph).
+* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
+  64-byte external mu value per FIPS 204.
+
+If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
+passed to [`crypto.createPrivateKey()`][]. If it is an object, the following
+additional properties can be passed:
+
+* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
+  format of the generated signature. It can be one of the following:
+  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
+  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `padding` {integer} Optional padding value for RSA, one of the following:
+
+  * `crypto.constants.RSA_PKCS1_PADDING` (default)
+  * `crypto.constants.RSA_PKCS1_PSS_PADDING`
+
+  `RSA_PKCS1_PSS_PADDING` will use MGF1 with the same hash function
+  used to create the digest as specified in section 3.1 of [RFC 4055][].
+* `saltLength` {integer} Salt length for when padding is
+  `RSA_PKCS1_PSS_PADDING`. The special value
+  `crypto.constants.RSA_PSS_SALTLEN_DIGEST` sets the salt length to the digest
+  size, `crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN` (default) sets it to the
+  maximum permissible value.
+* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
+  this option specifies the optional context to differentiate signatures
+  generated for different purposes with the same key. Not supported for ML-DSA
+  keys because the context is already encoded into the mu value.
+
+If the `callback` function is provided this function uses libuv's threadpool.
+
 ### `crypto.subtle`
 
 <!-- YAML
@@ -5870,6 +5932,9 @@ not introduce timing vulnerabilities.
 <!-- YAML
 added: v12.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62345
+    description: Add support for Ed25519 context parameter.
   - version: v24.8.0
     pr-url: https://github.com/nodejs/node/pull/59570
     description: Add support for ML-DSA, Ed448, and SLH-DSA context parameter.
@@ -5939,7 +6004,7 @@ additional properties can be passed:
   `crypto.constants.RSA_PSS_SALTLEN_DIGEST` sets the salt length to the digest
   size, `crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN` (default) sets it to the
   maximum permissible value.
-* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed448, ML-DSA, and SLH-DSA,
+* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519, Ed448, ML-DSA, and SLH-DSA,
   this option specifies the optional context to differentiate signatures generated
   for different purposes with the same key.
 
@@ -5950,6 +6015,73 @@ key may be passed for `key`.
 
 If the `callback` function is provided this function uses libuv's threadpool.
 
+### `crypto.verifyDigest(algorithm, digest, key, signature[, callback])`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+<!--lint disable maximum-line-length remark-lint-->
+
+* `algorithm` {string|null|undefined}
+* `digest` {ArrayBuffer|Buffer|TypedArray|DataView}
+* `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
+* `signature` {ArrayBuffer|Buffer|TypedArray|DataView}
+* `callback` {Function}
+  * `err` {Error}
+  * `result` {boolean}
+* Returns: {boolean} `true` or `false` depending on the validity of the
+  signature for the digest and public key if the `callback` function is not
+  provided.
+
+<!--lint enable maximum-line-length remark-lint-->
+
+Verifies the given signature for `digest` using the given key and algorithm.
+Unlike [`crypto.verify()`][], this function does not hash the data
+internally — `digest` is expected to be a pre-computed hash digest.
+
+The interpretation of `algorithm` and `digest` depends on the key type:
+
+* RSA, ECDSA, DSA: `algorithm` identifies the hash function used to create
+  `digest`.
+* Ed25519, Ed448: `algorithm` must be `null` or `undefined`. `digest` must
+  be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
+  SHAKE256 with 64-byte output for Ed448ph).
+* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
+  64-byte external mu value per FIPS 204.
+
+If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
+passed to [`crypto.createPublicKey()`][]. If it is an object, the following
+additional properties can be passed:
+
+* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
+  format of the signature. It can be one of the following:
+  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
+  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `padding` {integer} Optional padding value for RSA, one of the following:
+
+  * `crypto.constants.RSA_PKCS1_PADDING` (default)
+  * `crypto.constants.RSA_PKCS1_PSS_PADDING`
+
+  `RSA_PKCS1_PSS_PADDING` will use MGF1 with the same hash function
+  used to create the digest as specified in section 3.1 of [RFC 4055][].
+* `saltLength` {integer} Salt length for when padding is
+  `RSA_PKCS1_PSS_PADDING`. The special value
+  `crypto.constants.RSA_PSS_SALTLEN_DIGEST` sets the salt length to the digest
+  size, `crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN` (default) sets it to the
+  maximum permissible value.
+* `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
+  this option specifies the optional context to differentiate signatures
+  generated for different purposes with the same key. Not supported for ML-DSA
+  keys because the context is already encoded into the mu value.
+
+The `signature` argument is the previously calculated signature for the `digest`.
+
+Because public keys can be derived from private keys, a private key or a public
+key may be passed for `key`.
+
+If the `callback` function is provided this function uses libuv's threadpool.
+
 ### `crypto.webcrypto`
 
 <!-- YAML
@@ -6572,6 +6704,8 @@ See the [list of SSL OP Flags][] for details.
 [`crypto.publicEncrypt()`]: #cryptopublicencryptkey-buffer
 [`crypto.randomBytes()`]: #cryptorandombytessize-callback
 [`crypto.randomFill()`]: #cryptorandomfillbuffer-offset-size-callback
+[`crypto.sign()`]: #cryptosignalgorithm-data-key-callback
+[`crypto.verify()`]: #cryptoverifyalgorithm-data-key-signature-callback
 [`crypto.webcrypto.getRandomValues()`]: webcrypto.md#cryptogetrandomvaluestypedarray
 [`crypto.webcrypto.subtle`]: webcrypto.md#class-subtlecrypto
 [`decipher.final()`]: #decipherfinaloutputencoding
diff --git a/lib/crypto.js b/lib/crypto.js
index 4290989f3cd6b1..daf5ea6ca1ab07 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -103,8 +103,10 @@ const {
 const {
   Sign,
   signOneShot,
+  signDigestOneShot,
   Verify,
   verifyOneShot,
+  verifyDigestOneShot,
 } = require('internal/crypto/sig');
 const {
   Hash,
@@ -223,11 +225,13 @@ module.exports = {
   scrypt,
   scryptSync,
   sign: signOneShot,
+  signDigest: signDigestOneShot,
   setEngine,
   timingSafeEqual,
   getFips,
   setFips,
   verify: verifyOneShot,
+  verifyDigest: verifyDigestOneShot,
   hash,
   encapsulate,
   decapsulate,
diff --git a/lib/internal/crypto/sig.js b/lib/internal/crypto/sig.js
index 7d38c0bdf60687..65342e445e88e8 100644
--- a/lib/internal/crypto/sig.js
+++ b/lib/internal/crypto/sig.js
@@ -46,6 +46,7 @@ const { Writable } = require('stream');
 const { Buffer } = require('buffer');
 
 const {
+  isAnyArrayBuffer,
   isArrayBufferView,
 } = require('internal/util/types');
 
@@ -152,14 +153,29 @@ Sign.prototype.sign = function sign(options, encoding) {
   return ret;
 };
 
-function signOneShot(algorithm, data, key, callback) {
+function validateDigestOrData(data, prehashed) {
+  if (prehashed) {
+    if (!isArrayBufferView(data) && !isAnyArrayBuffer(data)) {
+      throw new ERR_INVALID_ARG_TYPE(
+        'digest',
+        ['ArrayBuffer', 'Buffer', 'TypedArray', 'DataView'],
+        data,
+      );
+    }
+    return data;
+  }
+
+  return getArrayBufferOrView(data, 'data');
+}
+
+function signOneShotImpl(algorithm, data, key, callback, prehashed) {
   if (algorithm != null)
     validateString(algorithm, 'algorithm');
 
   if (callback !== undefined)
     validateFunction(callback, 'callback');
 
-  data = getArrayBufferOrView(data, 'data');
+  data = validateDigestOrData(data, prehashed);
 
   if (!key)
     throw new ERR_CRYPTO_SIGN_KEY_REQUIRED();
@@ -194,7 +210,8 @@ function signOneShot(algorithm, data, key, callback) {
     rsaPadding,
     dsaSigEnc,
     context,
-    undefined);
+    undefined,
+    prehashed);
 
   if (!callback) {
     const { 0: err, 1: signature } = job.run();
@@ -211,6 +228,10 @@ function signOneShot(algorithm, data, key, callback) {
   job.run();
 }
 
+function signOneShot(algorithm, data, key, callback) {
+  return signOneShotImpl(algorithm, data, key, callback, false);
+}
+
 function Verify(algorithm, options) {
   if (!(this instanceof Verify))
     return new Verify(algorithm, options);
@@ -248,22 +269,14 @@ Verify.prototype.verify = function verify(options, signature, sigEncoding) {
                               rsaPadding, pssSaltLength, dsaSigEnc);
 };
 
-function verifyOneShot(algorithm, data, key, signature, callback) {
+function verifyOneShotImpl(algorithm, data, key, signature, callback, prehashed) {
   if (algorithm != null)
     validateString(algorithm, 'algorithm');
 
   if (callback !== undefined)
     validateFunction(callback, 'callback');
 
-  data = getArrayBufferOrView(data, 'data');
-
-  if (!isArrayBufferView(data)) {
-    throw new ERR_INVALID_ARG_TYPE(
-      'data',
-      ['Buffer', 'TypedArray', 'DataView'],
-      data,
-    );
-  }
+  data = validateDigestOrData(data, prehashed);
 
   // Options specific to RSA
   const rsaPadding = getPadding(key);
@@ -303,7 +316,8 @@ function verifyOneShot(algorithm, data, key, signature, callback) {
     rsaPadding,
     dsaSigEnc,
     context,
-    signature);
+    signature,
+    prehashed);
 
   if (!callback) {
     const { 0: err, 1: result } = job.run();
@@ -320,9 +334,23 @@ function verifyOneShot(algorithm, data, key, signature, callback) {
   job.run();
 }
 
+function verifyOneShot(algorithm, data, key, signature, callback) {
+  return verifyOneShotImpl(algorithm, data, key, signature, callback, false);
+}
+
+function signDigestOneShot(algorithm, digest, key, callback) {
+  return signOneShotImpl(algorithm, digest, key, callback, true);
+}
+
+function verifyDigestOneShot(algorithm, digest, key, signature, callback) {
+  return verifyOneShotImpl(algorithm, digest, key, signature, callback, true);
+}
+
 module.exports = {
   Sign,
   signOneShot,
+  signDigestOneShot,
   Verify,
   verifyOneShot,
+  verifyDigestOneShot,
 };
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
index b4537efbac4bde..5211d0e707f5ba 100644
--- a/src/crypto/crypto_sig.cc
+++ b/src/crypto/crypto_sig.cc
@@ -203,6 +203,10 @@ void CheckThrow(Environment* env, SignBase::Error error) {
       return THROW_ERR_CRYPTO_OPERATION_FAILED(
           env, "Context parameter is unsupported");
 
+    case SignBase::Error::PrehashUnsupported:
+      return THROW_ERR_CRYPTO_OPERATION_FAILED(
+          env, "Prehashed signing is not supported for this key type");
+
     case SignBase::Error::Init:
     case SignBase::Error::Update:
     case SignBase::Error::PrivateKey:
@@ -241,6 +245,7 @@ bool SupportsContextString(const EVPKeyPointer& key) {
   return false;
 #else
   switch (key.id()) {
+    case EVP_PKEY_ED25519:
     case EVP_PKEY_ED448:
 #if OPENSSL_WITH_PQC
     case EVP_PKEY_ML_DSA_44:
@@ -682,6 +687,10 @@ Maybe<void> SignTraits::AdditionalConfig(
     }
   }
 
+  if (args[offset + 12]->IsTrue()) {
+    params->flags |= SignConfiguration::kHasPrehashed;
+  }
+
   return JustVoid();
 }
 
@@ -690,19 +699,171 @@ bool SignTraits::DeriveBits(Environment* env,
                             ByteSource* out,
                             CryptoJobMode mode) {
   bool can_throw = mode == CryptoJobMode::kCryptoJobSync;
-  auto context = EVPMDCtxPointer::New();
-  if (!context) [[unlikely]]
-    return false;
   const auto& key = params.key.GetAsymmetricKey();
 
   bool has_context = (params.flags & SignConfiguration::kHasContextString &&
                       params.context_string.size() > 0);
+  bool is_prehashed = params.flags & SignConfiguration::kHasPrehashed;
+  bool is_sign = params.mode == SignConfiguration::Mode::Sign;
 
-  if (has_context && !SupportsContextString(key)) {
+  if (has_context && !is_prehashed && !SupportsContextString(key)) {
     if (can_throw) crypto::CheckThrow(env, SignBase::Error::ContextUnsupported);
     return false;
   }
 
+  // Prehashed signing: the caller already hashed the data and is providing
+  // the digest directly. Use the low-level EVP_PKEY_sign/EVP_PKEY_verify path.
+  if (is_prehashed) {
+    const int key_type = key.id();
+
+    EVPKeyCtxPointer pkctx = key.newCtx();
+    if (!pkctx) [[unlikely]] {
+      if (can_throw) crypto::CheckThrow(env, SignBase::Error::Init);
+      return false;
+    }
+
+    int init_ret;
+
+    switch (key_type) {
+      case EVP_PKEY_ED25519:
+      case EVP_PKEY_ED448: {
+#ifdef OSSL_SIGNATURE_PARAM_INSTANCE
+        const char* instance_name =
+            key_type == EVP_PKEY_ED25519 ? "Ed25519ph" : "Ed448ph";
+
+        std::vector<OSSL_PARAM> ossl_params;
+        ossl_params.push_back(
+            OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE,
+                                             const_cast<char*>(instance_name),
+                                             0));
+
+        if (has_context) {
+          ossl_params.push_back(OSSL_PARAM_construct_octet_string(
+              OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+              const_cast<unsigned char*>(
+                  params.context_string.data<unsigned char>()),
+              params.context_string.size()));
+        }
+        ossl_params.push_back(OSSL_PARAM_END);
+
+        init_ret = is_sign ? pkctx.initForSignEx(ossl_params.data())
+                           : pkctx.initForVerifyEx(ossl_params.data());
+        break;
+#else
+        if (can_throw)
+          crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
+        return false;
+#endif  // OSSL_SIGNATURE_PARAM_INSTANCE
+      }
+
+#if OPENSSL_WITH_PQC
+      case EVP_PKEY_ML_DSA_44:
+      case EVP_PKEY_ML_DSA_65:
+      case EVP_PKEY_ML_DSA_87: {
+        // Context must already be part of the externally computed mu value.
+        if (has_context) {
+          if (can_throw)
+            crypto::CheckThrow(env, SignBase::Error::ContextUnsupported);
+          return false;
+        }
+
+#ifdef OSSL_SIGNATURE_PARAM_MU
+        int mu_flag = 1;
+        std::vector<OSSL_PARAM> ossl_params;
+        ossl_params.push_back(
+            OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_MU, &mu_flag));
+        ossl_params.push_back(OSSL_PARAM_END);
+
+        init_ret = is_sign ? pkctx.initForSignMessage(ossl_params.data())
+                           : pkctx.initForVerifyMessage(ossl_params.data());
+        break;
+#else
+        if (can_throw)
+          crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
+        return false;
+#endif  // OSSL_SIGNATURE_PARAM_MU
+      }
+#endif  // OPENSSL_WITH_PQC
+
+      default:
+        if (key.isOneShotVariant()) {
+          if (can_throw)
+            crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
+          return false;
+        }
+
+        init_ret = is_sign ? pkctx.initForSign() : pkctx.initForVerify();
+
+        if (init_ret <= 0) [[unlikely]] {
+          if (can_throw) crypto::CheckThrow(env, SignBase::Error::Init);
+          return false;
+        }
+
+        {
+          int padding = params.flags & SignConfiguration::kHasPadding
+                            ? params.padding
+                            : key.getDefaultSignPadding();
+
+          std::optional<int> salt_length =
+              params.flags & SignConfiguration::kHasSaltLength
+                  ? std::optional<int>(params.salt_length)
+                  : std::nullopt;
+
+          if (!ApplyRSAOptions(key, pkctx.get(), padding, salt_length)) {
+            if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
+            return false;
+          }
+
+          if (!pkctx.setSignatureMd(params.digest)) {
+            if (can_throw) crypto::CheckThrow(env, SignBase::Error::Init);
+            return false;
+          }
+        }
+        break;
+    }
+
+    if (init_ret <= 0) [[unlikely]] {
+      if (can_throw) crypto::CheckThrow(env, SignBase::Error::Init);
+      return false;
+    }
+
+    ncrypto::Buffer<const unsigned char> data_buf{
+        .data = params.data.data<unsigned char>(),
+        .len = params.data.size(),
+    };
+
+    if (is_sign) {
+      auto sig = pkctx.sign(data_buf);
+      if (!sig) [[unlikely]] {
+        if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
+        return false;
+      }
+      DCHECK(!sig.isSecure());
+      auto bs = ByteSource::Allocated(sig.release());
+
+      if (UseP1363Encoding(key, params.dsa_encoding)) {
+        *out = ConvertSignatureToP1363(env, key, std::move(bs));
+      } else {
+        *out = std::move(bs);
+      }
+    } else {
+      ncrypto::Buffer<const unsigned char> sig_buf{
+          .data = params.signature.data<unsigned char>(),
+          .len = params.signature.size(),
+      };
+      auto buf = DataPointer::Alloc(1);
+      *buf.get<char>() = pkctx.verify(sig_buf, data_buf);
+      *out = ByteSource::Allocated(buf.release());
+    }
+
+    return true;
+  }
+
+  // Non-prehashed path: use EVP_DigestSign/EVP_DigestVerify.
+  auto context = EVPMDCtxPointer::New();
+  if (!context) [[unlikely]]
+    return false;
+
   auto ctx = ([&] {
     if (has_context) {
       ncrypto::Buffer<const unsigned char> context_buf{
@@ -710,21 +871,13 @@ bool SignTraits::DeriveBits(Environment* env,
           .len = params.context_string.size(),
       };
 
-      switch (params.mode) {
-        case SignConfiguration::Mode::Sign:
-          return context.signInitWithContext(key, params.digest, context_buf);
-        case SignConfiguration::Mode::Verify:
-          return context.verifyInitWithContext(key, params.digest, context_buf);
-      }
-    } else {
-      switch (params.mode) {
-        case SignConfiguration::Mode::Sign:
-          return context.signInit(key, params.digest);
-        case SignConfiguration::Mode::Verify:
-          return context.verifyInit(key, params.digest);
-      }
+      return is_sign
+                 ? context.signInitWithContext(key, params.digest, context_buf)
+                 : context.verifyInitWithContext(
+                       key, params.digest, context_buf);
     }
-    UNREACHABLE();
+    return is_sign ? context.signInit(key, params.digest)
+                   : context.verifyInit(key, params.digest);
   })();
 
   if (!ctx.has_value()) [[unlikely]] {
@@ -746,41 +899,34 @@ bool SignTraits::DeriveBits(Environment* env,
     return false;
   }
 
-  switch (params.mode) {
-    case SignConfiguration::Mode::Sign: {
-      if (key.isOneShotVariant()) {
-        auto data = context.signOneShot(params.data);
-        if (!data) [[unlikely]] {
-          if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
-          return false;
-        }
-        DCHECK(!data.isSecure());
-        *out = ByteSource::Allocated(data.release());
-      } else {
-        auto data = context.sign(params.data);
-        if (!data) [[unlikely]] {
-          if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
-          return false;
-        }
-        DCHECK(!data.isSecure());
-        auto bs = ByteSource::Allocated(data.release());
-
-        if (UseP1363Encoding(key, params.dsa_encoding)) {
-          *out = ConvertSignatureToP1363(env, key, std::move(bs));
-        } else {
-          *out = std::move(bs);
-        }
+  if (is_sign) {
+    if (key.isOneShotVariant()) {
+      auto data = context.signOneShot(params.data);
+      if (!data) [[unlikely]] {
+        if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
+        return false;
       }
-      break;
-    }
-    case SignConfiguration::Mode::Verify: {
-      auto buf = DataPointer::Alloc(1);
-      static_cast<char*>(buf.get())[0] = 0;
-      if (context.verify(params.data, params.signature)) {
-        static_cast<char*>(buf.get())[0] = 1;
+      DCHECK(!data.isSecure());
+      *out = ByteSource::Allocated(data.release());
+    } else {
+      auto data = context.sign(params.data);
+      if (!data) [[unlikely]] {
+        if (can_throw) crypto::CheckThrow(env, SignBase::Error::PrivateKey);
+        return false;
+      }
+      DCHECK(!data.isSecure());
+      auto bs = ByteSource::Allocated(data.release());
+
+      if (UseP1363Encoding(key, params.dsa_encoding)) {
+        *out = ConvertSignatureToP1363(env, key, std::move(bs));
+      } else {
+        *out = std::move(bs);
       }
-      *out = ByteSource::Allocated(buf.release());
     }
+  } else {
+    auto buf = DataPointer::Alloc(1);
+    *buf.get<char>() = context.verify(params.data, params.signature);
+    *out = ByteSource::Allocated(buf.release());
   }
 
   return true;
diff --git a/src/crypto/crypto_sig.h b/src/crypto/crypto_sig.h
index 35154813a24549..260f5f01b23607 100644
--- a/src/crypto/crypto_sig.h
+++ b/src/crypto/crypto_sig.h
@@ -27,6 +27,7 @@ class SignBase : public BaseObject {
     PublicKey,
     MalformedSignature,
     ContextUnsupported,
+    PrehashUnsupported,
   };
 
   SignBase(Environment* env, v8::Local<v8::Object> wrap);
@@ -101,7 +102,8 @@ struct SignConfiguration final : public MemoryRetainer {
     kHasNone = 0,
     kHasSaltLength = 1,
     kHasPadding = 2,
-    kHasContextString = 4
+    kHasContextString = 4,
+    kHasPrehashed = 8,
   };
 
   CryptoJobMode job_mode;
diff --git a/test/parallel/test-crypto-sign-verify-digest.js b/test/parallel/test-crypto-sign-verify-digest.js
new file mode 100644
index 00000000000000..fe6553848f7947
--- /dev/null
+++ b/test/parallel/test-crypto-sign-verify-digest.js
@@ -0,0 +1,618 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const crypto = require('crypto');
+const fixtures = require('../common/fixtures');
+const {
+  hasOpenSSL,
+} = require('../common/crypto');
+
+// Test crypto.signDigest() and crypto.verifyDigest() one-shot APIs.
+// These accept a pre-hashed digest and sign/verify it directly.
+
+const data = Buffer.from('Hello world');
+
+// --- RSA PKCS#1 v1.5 ---
+{
+  const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
+  const pubKey = fixtures.readKey('rsa_public_2048.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  const sig = crypto.signDigest('sha256', digest, privKey);
+  assert(Buffer.isBuffer(sig));
+  assert.strictEqual(sig.length, 256);
+
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig), true);
+
+  // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+  const sig2 = crypto.sign('sha256', data, privKey);
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig2), true);
+
+  // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+  assert.strictEqual(crypto.verify('sha256', data, pubKey, sig), true);
+
+  // Wrong digest should fail verification
+  const wrongDigest = crypto.createHash('sha256').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest('sha256', wrongDigest, pubKey, sig), false);
+
+  // KeyObject forms
+  const privKeyObj = crypto.createPrivateKey(privKey);
+  const pubKeyObj = crypto.createPublicKey(pubKey);
+
+  const sig3 = crypto.signDigest('sha256', digest, privKeyObj);
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKeyObj, sig3), true);
+
+  // Verify with private key (extracts public)
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, privKeyObj, sig3), true);
+}
+
+// --- RSA-PSS ---
+{
+  const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
+  const pubKey = fixtures.readKey('rsa_public_2048.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  const sig = crypto.signDigest('sha256', digest, {
+    key: privKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: 32,
+  });
+  assert(Buffer.isBuffer(sig));
+
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, {
+    key: pubKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: 32,
+  }, sig), true);
+
+  // Verify with auto salt length
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, {
+    key: pubKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto.constants.RSA_PSS_SALTLEN_AUTO,
+  }, sig), true);
+
+  // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+  assert.strictEqual(crypto.verify('sha256', data, {
+    key: pubKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto.constants.RSA_PSS_SALTLEN_AUTO,
+  }, sig), true);
+
+  // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+  const sig2 = crypto.sign('sha256', data, {
+    key: privKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: 32,
+  });
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, {
+    key: pubKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto.constants.RSA_PSS_SALTLEN_AUTO,
+  }, sig2), true);
+
+  // Wrong digest
+  const wrongDigest = crypto.createHash('sha256').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest('sha256', wrongDigest, {
+    key: pubKey,
+    padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto.constants.RSA_PSS_SALTLEN_AUTO,
+  }, sig), false);
+}
+
+// --- RSA-PSS key type (hash/padding/salt baked into key) ---
+{
+  const privKey = fixtures.readKey('rsa_pss_private_2048_sha256_sha256_16.pem', 'ascii');
+  const pubKey = fixtures.readKey('rsa_pss_public_2048_sha256_sha256_16.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  const sig = crypto.signDigest('sha256', digest, privKey);
+  assert(Buffer.isBuffer(sig));
+
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig), true);
+
+  // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+  assert.strictEqual(crypto.verify('sha256', data, pubKey, sig), true);
+
+  // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+  const sig2 = crypto.sign('sha256', data, privKey);
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig2), true);
+
+  // Wrong digest
+  const wrongDigest = crypto.createHash('sha256').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest('sha256', wrongDigest, pubKey, sig), false);
+}
+
+// --- ECDSA (DER encoding, default) ---
+{
+  const curves = [
+    { priv: 'ec_p256_private.pem', pub: 'ec_p256_public.pem', hash: 'sha256' },
+    { priv: 'ec_p384_private.pem', pub: 'ec_p384_public.pem', hash: 'sha384' },
+    { priv: 'ec_p521_private.pem', pub: 'ec_p521_public.pem', hash: 'sha512' },
+  ];
+
+  for (const { priv, pub, hash } of curves) {
+    const privKey = fixtures.readKey(priv, 'ascii');
+    const pubKey = fixtures.readKey(pub, 'ascii');
+
+    const digest = crypto.createHash(hash).update(data).digest();
+
+    const sig = crypto.signDigest(hash, digest, privKey);
+    assert(Buffer.isBuffer(sig));
+
+    assert.strictEqual(crypto.verifyDigest(hash, digest, pubKey, sig), true);
+
+    // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+    assert.strictEqual(crypto.verify(hash, data, pubKey, sig), true);
+
+    // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+    const sig2 = crypto.sign(hash, data, privKey);
+    assert.strictEqual(crypto.verifyDigest(hash, digest, pubKey, sig2), true);
+
+    // Wrong digest
+    const wrongDigest = crypto.createHash(hash).update(Buffer.from('wrong')).digest();
+    assert.strictEqual(crypto.verifyDigest(hash, wrongDigest, pubKey, sig), false);
+  }
+}
+
+// --- ECDSA (ieee-p1363 encoding) ---
+{
+  const privKey = fixtures.readKey('ec_p256_private.pem', 'ascii');
+  const pubKey = fixtures.readKey('ec_p256_public.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  const sig = crypto.signDigest('sha256', digest, {
+    key: privKey,
+    dsaEncoding: 'ieee-p1363',
+  });
+  assert(Buffer.isBuffer(sig));
+  // P-256 ieee-p1363 signature is exactly 64 bytes (2 * 32)
+  assert.strictEqual(sig.length, 64);
+
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, {
+    key: pubKey,
+    dsaEncoding: 'ieee-p1363',
+  }, sig), true);
+
+  // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+  assert.strictEqual(crypto.verify('sha256', data, {
+    key: pubKey,
+    dsaEncoding: 'ieee-p1363',
+  }, sig), true);
+
+  // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+  const sig2 = crypto.sign('sha256', data, {
+    key: privKey,
+    dsaEncoding: 'ieee-p1363',
+  });
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, {
+    key: pubKey,
+    dsaEncoding: 'ieee-p1363',
+  }, sig2), true);
+
+  // Wrong digest
+  const wrongDigest = crypto.createHash('sha256').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest('sha256', wrongDigest, {
+    key: pubKey,
+    dsaEncoding: 'ieee-p1363',
+  }, sig), false);
+}
+
+// --- DSA ---
+{
+  const privKey = fixtures.readKey('dsa_private.pem', 'ascii');
+  const pubKey = fixtures.readKey('dsa_public.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  const sig = crypto.signDigest('sha256', digest, privKey);
+  assert(Buffer.isBuffer(sig));
+
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig), true);
+
+  // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+  assert.strictEqual(crypto.verify('sha256', data, pubKey, sig), true);
+
+  // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+  const sig2 = crypto.sign('sha256', data, privKey);
+  assert.strictEqual(crypto.verifyDigest('sha256', digest, pubKey, sig2), true);
+
+  // Wrong digest
+  const wrongDigest = crypto.createHash('sha256').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest('sha256', wrongDigest, pubKey, sig), false);
+}
+
+// --- Ed25519ph ---
+if (hasOpenSSL(3, 2)) {
+  const privKey = fixtures.readKey('ed25519_private.pem', 'ascii');
+  const pubKey = fixtures.readKey('ed25519_public.pem', 'ascii');
+
+  // Ed25519ph expects a SHA-512 prehash (64 bytes)
+  const digest = crypto.createHash('sha512').update(data).digest();
+  assert.strictEqual(digest.length, 64);
+
+  const sig = crypto.signDigest(null, digest, privKey);
+  assert(Buffer.isBuffer(sig));
+  assert.strictEqual(sig.length, 64);
+
+  assert.strictEqual(crypto.verifyDigest(null, digest, pubKey, sig), true);
+
+  // Wrong digest should fail
+  const wrongDigest = crypto.createHash('sha512').update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest(null, wrongDigest, pubKey, sig), false);
+
+  // Note: Ed25519ph signatures are NOT compatible with Ed25519 signatures
+  // (crypto.sign(null, data, privKey)), so no cross-verify with crypto.sign.
+
+  // KeyObject forms
+  const privKeyObj = crypto.createPrivateKey(privKey);
+  const pubKeyObj = crypto.createPublicKey(pubKey);
+
+  const sig2 = crypto.signDigest(null, digest, privKeyObj);
+  assert.strictEqual(crypto.verifyDigest(null, digest, pubKeyObj, sig2), true);
+
+  // Ed25519ph with context string
+  {
+    const context = Buffer.from('my context');
+    const sig3 = crypto.signDigest(null, digest, { key: privKey, context });
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey, context }, sig3), true);
+
+    // Wrong context should fail
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey }, sig3), false);
+    assert.strictEqual(crypto.verifyDigest(null, digest, {
+      key: pubKey,
+      context: Buffer.from('other'),
+    }, sig3), false);
+  }
+}
+
+// --- Ed448ph ---
+if (hasOpenSSL(3, 2)) {
+  const privKey = fixtures.readKey('ed448_private.pem', 'ascii');
+  const pubKey = fixtures.readKey('ed448_public.pem', 'ascii');
+
+  // Ed448ph expects a SHAKE256 prehash (64 bytes)
+  const digest = crypto.createHash('shake256', { outputLength: 64 }).update(data).digest();
+  assert.strictEqual(digest.length, 64);
+
+  const sig = crypto.signDigest(null, digest, privKey);
+  assert(Buffer.isBuffer(sig));
+  assert.strictEqual(sig.length, 114);
+
+  assert.strictEqual(crypto.verifyDigest(null, digest, pubKey, sig), true);
+
+  // Wrong digest
+  const wrongDigest = crypto.createHash('shake256', { outputLength: 64 }).update(Buffer.from('wrong')).digest();
+  assert.strictEqual(crypto.verifyDigest(null, wrongDigest, pubKey, sig), false);
+
+  // Ed448ph with context string
+  {
+    const context = Buffer.from('my context');
+    const sig2 = crypto.signDigest(null, digest, { key: privKey, context });
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey, context }, sig2), true);
+
+    // Wrong context should fail
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey }, sig2), false);
+    assert.strictEqual(crypto.verifyDigest(null, digest, {
+      key: pubKey,
+      context: Buffer.from('other'),
+    }, sig2), false);
+  }
+
+  // Ed448ph with empty context string
+  {
+    const context = new Uint8Array();
+    const sig3 = crypto.signDigest(null, digest, { key: privKey, context });
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey, context }, sig3), true);
+    // Empty context and no context should both verify for Ed448ph
+    assert.strictEqual(crypto.verifyDigest(null, digest, { key: pubKey }, sig3), true);
+  }
+}
+
+// --- ML-DSA external mu (prehashed) ---
+if (hasOpenSSL(3, 5)) {
+  // ML-DSA signDigest/verifyDigest treats input as external mu.
+  // mu is the 64-byte SHAKE-256(tr || M') value that the caller computes.
+  const variants = [
+    { alg: 'ml_dsa_44' },
+    { alg: 'ml_dsa_65' },
+    { alg: 'ml_dsa_87' },
+  ];
+
+  for (const { alg } of variants) {
+    const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
+    const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
+
+    const mu = crypto.randomBytes(64);
+
+    const sig = crypto.signDigest(null, mu, privKey);
+    assert(Buffer.isBuffer(sig));
+    assert(sig.length > 0);
+
+    // Verify with same mu succeeds
+    assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig), true);
+
+    // Verify with wrong mu fails
+    const wrongMu = crypto.randomBytes(64);
+    assert.strictEqual(crypto.verifyDigest(null, wrongMu, pubKey, sig), false);
+  }
+}
+
+// --- Async (callback) mode ---
+{
+  const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
+  const pubKey = fixtures.readKey('rsa_public_2048.pem', 'ascii');
+
+  const digest = crypto.createHash('sha256').update(data).digest();
+
+  crypto.signDigest('sha256', digest, privKey, common.mustSucceed((sig) => {
+    assert(Buffer.isBuffer(sig));
+
+    crypto.verifyDigest('sha256', digest, pubKey, sig, common.mustSucceed((result) => {
+      assert.strictEqual(result, true);
+    }));
+  }));
+}
+
+// --- Async (callback) error handling ---
+{
+  // Non-signing key type error is delivered via callback
+  const x25519Priv = fixtures.readKey('x25519_private.pem', 'ascii');
+  crypto.signDigest('sha256', Buffer.alloc(32), x25519Priv, common.mustCall((err) => {
+    assert(err);
+    assert.match(err.message, /operation not supported for this keytype/);
+  }));
+}
+
+if (hasOpenSSL(3, 2)) {
+  // Wrong digest length error is delivered via callback
+  const edPrivKey = fixtures.readKey('ed25519_private.pem', 'ascii');
+  crypto.signDigest(null, Buffer.alloc(32), edPrivKey, common.mustCall((err) => {
+    assert(err);
+    assert.match(err.message, /invalid digest length/);
+  }));
+}
+
+if (hasOpenSSL(3, 5)) {
+  // ML-DSA async sign+verify with external mu (64-byte pre-computed value)
+  const mldsaPrivKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
+  const mldsaPubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
+  const mu = crypto.randomBytes(64);
+  crypto.signDigest(null, mu, mldsaPrivKey, common.mustSucceed((sig) => {
+    assert(sig.length > 0);
+    crypto.verifyDigest(null, mu, mldsaPubKey, sig, common.mustSucceed((ok) => {
+      assert.strictEqual(ok, true);
+    }));
+  }));
+
+  // Wrong mu length (32 bytes) is rejected asynchronously
+  crypto.signDigest(null, Buffer.alloc(32), mldsaPrivKey, common.mustCall((err) => {
+    assert(err);
+    assert.match(err.message, /provider signature failure/);
+  }));
+}
+
+// --- Error: unsupported key type for prehashed signing ---
+{
+  // ML-DSA rejects wrong mu length (must be exactly 64 bytes).
+  if (hasOpenSSL(3, 5)) {
+    const privKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
+    const pubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
+
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(32), privKey);
+    }, /provider signature failure/);
+
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(128), privKey);
+    }, /provider signature failure/);
+
+    // verifyDigest returns false for wrong mu length (not a throw)
+    assert.strictEqual(
+      crypto.verifyDigest(null, Buffer.alloc(32), pubKey, Buffer.alloc(2420)),
+      false,
+    );
+
+    // Context string is not supported with signDigest/verifyDigest for ML-DSA
+    // since context must already be incorporated into the externally computed mu.
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(64), { key: privKey, context: Buffer.from('ctx') });
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
+    assert.throws(() => {
+      crypto.verifyDigest(null, Buffer.alloc(64), { key: pubKey, context: Buffer.from('ctx') },
+                          Buffer.alloc(2420));
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
+  }
+
+  // ML-DSA external mu cross-verification with crypto.sign/crypto.verify.
+  // Computes mu = SHAKE-256(tr || M', 64) per FIPS 204, where
+  // tr = SHAKE-256(pk, 64) and M' encodes the context.
+  if (hasOpenSSL(3, 5)) {
+    const variants = [
+      { alg: 'ml_dsa_44', sigLen: 2420 },
+      { alg: 'ml_dsa_65', sigLen: 3309 },
+      { alg: 'ml_dsa_87', sigLen: 4627 },
+    ];
+
+    for (const { alg } of variants) {
+      const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
+      const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
+
+      // Get raw public key bytes for tr computation via JWK export.
+      const pubKeyObj = crypto.createPublicKey(pubKey);
+      const pkBytes = Buffer.from(pubKeyObj.export({ format: 'jwk' }).pub, 'base64url');
+      const tr = crypto.createHash('shake256', { outputLength: 64 }).update(pkBytes).digest();
+
+      const msg = Buffer.from('ML-DSA cross-verify test message');
+
+      // Without context: M' = 0x00 || 0x00 || M
+      {
+        const mPrime = Buffer.concat([Buffer.from([0x00, 0x00]), msg]);
+        const mu = crypto.createHash('shake256', { outputLength: 64 })
+          .update(tr).update(mPrime).digest();
+
+        const sig = crypto.signDigest(null, mu, privKey);
+        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), true);
+
+        const sig2 = crypto.sign(null, msg, privKey);
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
+      }
+
+      // With context: M' = 0x00 || len(ctx) || ctx || M
+      {
+        const ctx = Buffer.from('test context string');
+        const mPrime = Buffer.concat([Buffer.from([0x00, ctx.length]), ctx, msg]);
+        const mu = crypto.createHash('shake256', { outputLength: 64 })
+          .update(tr).update(mPrime).digest();
+
+        const sig = crypto.signDigest(null, mu, privKey);
+        assert.strictEqual(
+          crypto.verify(null, msg, { key: pubKey, context: ctx }, sig), true);
+
+        const sig2 = crypto.sign(null, msg, { key: privKey, context: ctx });
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
+
+        // Mismatched context: signDigest with context mu, verify without context
+        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), false);
+
+        // Mismatched context: sign without context, verifyDigest with context mu
+        const sig3 = crypto.sign(null, msg, privKey);
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig3), false);
+      }
+    }
+  }
+
+  // Ed25519ph/Ed448ph require OpenSSL >= 3.2. On older versions, they
+  // should throw PrehashUnsupported.
+  if (!hasOpenSSL(3, 2)) {
+    const edPrivKey = fixtures.readKey('ed25519_private.pem', 'ascii');
+    const edPubKey = fixtures.readKey('ed25519_public.pem', 'ascii');
+
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(64), edPrivKey);
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+
+    assert.throws(() => {
+      crypto.verifyDigest(null, Buffer.alloc(64), edPubKey, Buffer.alloc(64));
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+  }
+
+  // Invalid algorithm argument type
+  assert.throws(() => {
+    crypto.signDigest(123, Buffer.alloc(32), fixtures.readKey('rsa_private_2048.pem', 'ascii'));
+  }, { code: 'ERR_INVALID_ARG_TYPE' });
+}
+
+// --- Error: non-signing key types (X25519, X448) ---
+{
+  const x25519Priv = fixtures.readKey('x25519_private.pem', 'ascii');
+  const x25519Pub = fixtures.readKey('x25519_public.pem', 'ascii');
+
+  assert.throws(() => {
+    crypto.signDigest('sha256', Buffer.alloc(32), x25519Priv);
+  }, { code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE' });
+
+  assert.throws(() => {
+    crypto.verifyDigest('sha256', Buffer.alloc(32), x25519Pub, Buffer.alloc(64));
+  }, { code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE' });
+}
+
+// --- Error: invalid/unsupported digest algorithm ---
+{
+  const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
+
+  assert.throws(() => {
+    crypto.signDigest('nonexistent', Buffer.alloc(32), privKey);
+  }, { code: 'ERR_CRYPTO_INVALID_DIGEST' });
+}
+
+// --- Error: string inputs are rejected (digest must be binary) ---
+{
+  const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
+  const pubKey = fixtures.readKey('rsa_public_2048.pem', 'ascii');
+
+  // 64-byte string (same length as a SHA-512 digest)
+  const strDigest64 = 'a'.repeat(64);
+  assert.throws(() => {
+    crypto.signDigest('sha256', strDigest64, privKey);
+  }, { code: 'ERR_INVALID_ARG_TYPE' });
+
+  assert.throws(() => {
+    crypto.verifyDigest('sha256', strDigest64, pubKey, Buffer.alloc(256));
+  }, { code: 'ERR_INVALID_ARG_TYPE' });
+
+  // 128-byte string
+  const strDigest128 = 'b'.repeat(128);
+  assert.throws(() => {
+    crypto.signDigest('sha256', strDigest128, privKey);
+  }, { code: 'ERR_INVALID_ARG_TYPE' });
+
+  assert.throws(() => {
+    crypto.verifyDigest('sha256', strDigest128, pubKey, Buffer.alloc(256));
+  }, { code: 'ERR_INVALID_ARG_TYPE' });
+}
+
+// --- ECDSA: hash larger than curve order (cross-verify) ---
+// Using SHA-512 (64 bytes) with P-256 (32-byte order) and P-384 (48-byte order).
+// The digest is larger than the curve's order; ECDSA truncates it internally.
+{
+  const curves = [
+    { priv: 'ec_p256_private.pem', pub: 'ec_p256_public.pem' },
+    { priv: 'ec_p384_private.pem', pub: 'ec_p384_public.pem' },
+  ];
+
+  for (const { priv, pub } of curves) {
+    const privKey = fixtures.readKey(priv, 'ascii');
+    const pubKey = fixtures.readKey(pub, 'ascii');
+
+    const digest = crypto.createHash('sha512').update(data).digest();
+
+    // signDigest + verifyDigest
+    const sig = crypto.signDigest('sha512', digest, privKey);
+    assert.strictEqual(crypto.verifyDigest('sha512', digest, pubKey, sig), true);
+
+    // Cross-verify: sign with crypto.signDigest, verify with crypto.verify
+    assert.strictEqual(crypto.verify('sha512', data, pubKey, sig), true);
+
+    // Cross-verify: sign with crypto.sign, verify with crypto.verifyDigest
+    const sig2 = crypto.sign('sha512', data, privKey);
+    assert.strictEqual(crypto.verifyDigest('sha512', digest, pubKey, sig2), true);
+  }
+}
+
+// --- Error: wrong digest length for Ed25519ph/Ed448ph ---
+if (hasOpenSSL(3, 2)) {
+  // Ed25519ph requires exactly 64-byte SHA-512 digest
+  {
+    const privKey = fixtures.readKey('ed25519_private.pem', 'ascii');
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(32), privKey);
+    }, { code: 'ERR_OSSL_INVALID_DIGEST_LENGTH' });
+  }
+
+  // Ed448ph requires exactly 64-byte SHAKE256 digest
+  {
+    const privKey = fixtures.readKey('ed448_private.pem', 'ascii');
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(32), privKey);
+    }, { code: 'ERR_OSSL_INVALID_DIGEST_LENGTH' });
+  }
+
+  // Ed448ph rejects a valid 128-byte SHAKE256 digest (must be exactly 64 bytes)
+  {
+    const privKey = fixtures.readKey('ed448_private.pem', 'ascii');
+    const shake256_128 = crypto.createHash('shake256', { outputLength: 128 }).update(data).digest();
+    assert.strictEqual(shake256_128.length, 128);
+
+    assert.throws(() => {
+      crypto.signDigest(null, shake256_128, privKey);
+    }, { code: 'ERR_OSSL_INVALID_DIGEST_LENGTH' });
+  }
+}
diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
index a66f0a94efd7c9..55a13ce45483f3 100644
--- a/test/parallel/test-crypto-sign-verify.js
+++ b/test/parallel/test-crypto-sign-verify.js
@@ -525,6 +525,47 @@ assert.throws(
   }
 });
 
+// Ed25519ctx: Ed25519 with context string.
+if (hasOpenSSL(3, 2)) {
+  const privKey = fixtures.readKey('ed25519_private.pem', 'ascii');
+  const pubKey = fixtures.readKey('ed25519_public.pem', 'ascii');
+  const data = Buffer.from('Hello world');
+
+  {
+    const context = Buffer.from('my context');
+    const sig = crypto.sign(null, data, { key: privKey, context });
+    assert.strictEqual(sig.length, 64);
+
+    // Verify with matching context succeeds
+    assert.strictEqual(crypto.verify(null, data, { key: pubKey, context }, sig), true);
+
+    // Verify without context fails (Ed25519ctx !== Ed25519 pure)
+    assert.strictEqual(crypto.verify(null, data, { key: pubKey }, sig), false);
+
+    // Verify with wrong context fails
+    assert.strictEqual(crypto.verify(null, data, {
+      key: pubKey,
+      context: Buffer.from('wrong'),
+    }, sig), false);
+  }
+
+  {
+    // Empty context: behaves the same as no context because the
+    // internal has_context check requires a non-empty context string.
+    const context = new Uint8Array();
+    const sig = crypto.sign(null, data, { key: privKey, context });
+
+    assert.strictEqual(crypto.verify(null, data, { key: pubKey, context }, sig), true);
+    assert.strictEqual(crypto.verify(null, data, { key: pubKey }, sig), true);
+  }
+
+  // Context too long
+  assert.throws(() => crypto.sign(null, data, { key: privKey, context: new Uint8Array(256) }), {
+    code: 'ERR_OUT_OF_RANGE',
+    message: 'context string must be at most 255 bytes',
+  });
+}
+
 [1, {}, [], true, Infinity].forEach((input) => {
   const data = Buffer.alloc(1);
   const sig = Buffer.alloc(1);