> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 7: Verify the signature

> Verify the CMS signature and signer chain with OpenSSL.

With the detached CMS signature in `sig.p7` and the original payload in `payload`, verify with OpenSSL. Recreate the exact payload bytes first:

<Steps>
  <Step title="Recreate the signed payload">
    ```bash lines wrap title="Recreate the signed payload" theme={null}
    printf 'hello, cryptohub code signing' > payload
    ```
  </Step>

  <Step title="Verify the CMS signature">
    ```bash lines wrap title="Verify the CMS signature" theme={null}
    openssl cms -verify -inform DER -in sig.p7 -content payload -noverify
    ```

    `-noverify` skips chain trust validation so you can confirm the cryptographic signature independently of the trust store:

    ```text lines wrap title="Expected output" theme={null}
    hello, cryptohub code signing
    CMS Verification successful
    ```
  </Step>

  <Step title="Inspect the signer chain">
    Inspect the signer certificate and confirm it chains to the root CA you minted in Step 2:

    ```bash lines wrap title="Print the signer chain" theme={null}
    openssl pkcs7 -inform DER -in sig.p7 -print_certs -noout
    ```

    ```text expandable lines wrap title="Expected output" theme={null}
    subject=CN=REST API Code Signing, O=Example, C=US
    issuer=CN=REST API Code Signing Root, O=Example, C=US

    subject=CN=REST API Code Signing Root, O=Example, C=US
    issuer=CN=REST API Code Signing Root, O=Example, C=US
    ```

    The signer certificate's `issuer` matching the root's `subject` confirms the signing certificate chains to the CA minted in Step 2.
  </Step>
</Steps>

<Check>
  You have completed a fully API-driven code-signing flow: authenticated with dual login, minted a signing CA, deployed a PKI Signing service with an embedded signing certificate, submitted a payload, retrieved the CMS signature, and verified it with OpenSSL.
</Check>
