Manually verifying a code signature

You can manually verify whether file contents and code signature match.

Procedure

Extract the code signature.
Follow the steps in Extracting a code signature.
Remove the code signature to obtain an unsigned file.
Follow the steps in Removing a code signature.
Check that the signature and file data match.
Use the extracted signature signature.der, the unsigned file $FILE.orig, the public key certificate cert.pem, and the following openssl command to check whether the signature and file data match:
```
$ openssl cms -verify -binary -nointern -noverify \
              -certfile cert.pem \
              -inform der -in signature.der \
              -content $FILE.orig \
              -out /dev/null
CMS Verification successful
```

An output line of CMS Verification successful indicates that signature and file contents match.