Step 7: Verify the signature - Futurex Documentation

With the detached CMS signature in sig.p7 and the original payload in payload, verify with OpenSSL. Recreate the exact payload bytes first:

Recreate the signed payload

printf 'hello, cryptohub code signing' > payload

Verify the CMS signature

openssl cms -verify -inform DER -in sig.p7 -content payload -noverify

-noverify skips chain trust validation so you can confirm the cryptographic signature independently of the trust store:

Expected output

hello, cryptohub code signing
CMS Verification successful

Inspect the signer chain

Inspect the signer certificate and confirm it chains to the root CA you minted in Step 2:

Print the signer chain

openssl pkcs7 -inform DER -in sig.p7 -print_certs -noout

Expected output

subject=CN=REST API Code Signing, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US

subject=CN=REST API Code Signing Root, O=Example, C=US
issuer=CN=REST API Code Signing Root, O=Example, C=US

The signer certificate’s issuer matching the root’s subject confirms the signing certificate chains to the CA minted in Step 2.

You have completed a fully API-driven code-signing flow: authenticated with dual login, minted a signing CA, deployed a PKI Signing service with an embedded signing certificate, submitted a payload, retrieved the CMS signature, and verified it with OpenSSL.

⌘I