> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 6: Retrieve the signature

> Retrieve the detached CMS / PKCS

Fetch the completed signing request with `GET /api/v2/x509/signing-requests/{uuid}`. When `state` is `Signed`, the detached **DER PKCS #7 / CMS** signature is returned base64-encoded in the `signature` field.

<Steps>
  <Step title="Fetch the signing request">
    ```bash lines wrap title="GET /api/v2/x509/signing-requests/{uuid}" theme={null}
    curl -sk "${AUTH[@]}" -b "$CJ" \
      "$B/api/v2/x509/signing-requests/$REQUEST"
    ```

    ```json expandable lines wrap title="Response" theme={null}
    {
      "success": true,
      "errorCode": "Success",
      "response": {
        "objInfo": { "name": "rest-api-demo-1", "uuid": "060000ee-....-............" },
        "state": "Signed",
        "approvalState": "Approved",
        "serviceUuid": "040000cc-....-............",
        "signingPolicyUuid": "050000dd-....-............",
        "signature": "MIIGxQYJKoZIhvcNAQcCoIIGtjCCBrI...base64-DER-CMS..."
      }
    }
    ```
  </Step>

  <Step title="Decode the signature">
    Decode the `signature` field into a DER file:

    ```bash lines wrap title="Extract the signature" theme={null}
    curl -sk "${AUTH[@]}" -b "$CJ" \
      "$B/api/v2/x509/signing-requests/$REQUEST" \
      | python3 -c 'import sys,json,base64; \
    sys.stdout.buffer.write(base64.b64decode(json.load(sys.stdin)["response"]["signature"]))' \
      > sig.p7
    ```
  </Step>
</Steps>

<Note>
  **Two retrieval paths, depending on the signing format:**

  * **Detached formats (`CMS`, `Raw`)** produce a standalone signature with no embedded artifact. Retrieve it from the `signature` field of `GET /api/v2/x509/signing-requests/{uuid}`, as shown above.
  * **Embedded / artifact formats (`Authenticode`, `Msi`, `JavaJar`, `Powershell`)** produce a signed *artifact* (for example, a signed `.exe`). The artifact is written to the signing service's configured **network drive** and is retrieved with `GET /api/v2/x509/signing-requests/{uuid}/signed/download`. That endpoint requires a network drive on the service and does not apply to detached `CMS` / `Raw` requests.
</Note>
