diff --git a/sovp/core.py b/sovp/core.py
index f9ac9a6..19cb4ef 100644
--- a/sovp/core.py
+++ b/sovp/core.py
@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import base64
+import hashlib
 import jcs
 import uuid
 from datetime import datetime, timezone, timedelta
@@ -13,7 +14,7 @@
 # Per draft Section 4: integrity_proof is excluded because the signature
 # cannot cover itself. Per draft V02 item 10: vendor extension objects
 # (e.g. scan) MUST NOT be included in the signed scope.
-_OUT_OF_SCOPE_KEYS = frozenset({"integrity_proof", "scan"})
+_OUT_OF_SCOPE_KEYS = frozenset({"integrity_proof", "scan", "contentAddress"})
 from cryptography.hazmat.primitives.asymmetric import ed25519
 from cryptography.hazmat.primitives import serialization
 from cryptography.exceptions import InvalidSignature
@@ -177,13 +178,16 @@ def generate_identity_document(
         },
     }
 
-    priv_bytes = base64.b64decode(private_key_b64)
-    private_key = ed25519.Ed25519PrivateKey.from_private_bytes(priv_bytes)
     canonical_data = jcs.canonicalize(non_proof)
-    signature = base64.b64encode(private_key.sign(canonical_data)).decode("utf-8")
+    signature = sign_identity(private_key_b64, non_proof)
+    digest = hashlib.sha256(canonical_data).hexdigest()
 
     document = {
         **non_proof,
+        "contentAddress": {
+            "alg": "sha256",
+            "digest": digest,
+        },
         "integrity_proof": {
             "signature": signature,
             "created": created,