Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

With the detached CMS signature in sig.p7 and the original payload in payload, verify with OpenSSL. Recreate the exact payload bytes first:
1

Recreate the signed payload

Recreate the signed payload
printf 'hello, cryptohub code signing' > payload
2

Verify the CMS signature

Verify the CMS signature
openssl cms -verify -inform DER -in sig.p7 -content payload -noverify
-noverify skips chain trust validation so you can confirm the cryptographic signature independently of the trust store:
Expected output
hello, cryptohub code signing
CMS Verification successful
3

Inspect the signer chain

Inspect the signer certificate and confirm it chains to the root CA you minted in Step 2:
Print the signer chain
openssl pkcs7 -inform DER -in sig.p7 -print_certs -noout
Expected output
subject=CN=REST API Code Signing, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US

subject=CN=REST API Code Signing Root, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US
The signer certificate’s issuer matching the root’s subject confirms the signing certificate chains to the CA minted in Step 2.
You have completed a fully API-driven code-signing flow: authenticated with dual login, minted a signing CA, deployed a PKI Signing service with an embedded signing certificate, submitted a payload, retrieved the CMS signature, and verified it with OpenSSL.