With the detached CMS signature in sig.p7 and the original payload in payload, verify with OpenSSL. Recreate the exact payload bytes first:
Recreate the signed payload
Recreate the signed payload
printf 'hello, cryptohub code signing' > payload
Verify the CMS signature
openssl cms -verify -inform DER -in sig.p7 -content payload -noverify
-noverify skips chain trust validation so you can confirm the cryptographic signature independently of the trust store:hello, cryptohub code signing
CMS Verification successful
Inspect the signer chain
Inspect the signer certificate and confirm it chains to the root CA you minted in Step 2:openssl pkcs7 -inform DER -in sig.p7 -print_certs -noout
subject=CN=REST API Code Signing, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US
subject=CN=REST API Code Signing Root, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US
The signer certificate’s issuer matching the root’s subject confirms the signing certificate chains to the CA minted in Step 2.
You have completed a fully API-driven code-signing flow: authenticated with dual login, minted a signing CA, deployed a PKI Signing service with an embedded signing certificate, submitted a payload, retrieved the CMS signature, and verified it with OpenSSL.