I have some data that was signed with RSA-SHA1 <https://www.w3.org/PICS/DSig/RSA-SHA1_1_0.html>. What's the proper way of verifying that data with a signature? The signature is base64 encoded, so first I do: openssl enc -d -A -base64 -in signature.txt -out signature.sha1 Then I do: openssl dgst -verify pubkey.pem -signature signature.sha1 datafile.txt Or: openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 datafile.txt Either of those fails with: Verification Failure Whenever I try to verify data signed with my own key, everything works. But for that data that I got from a third party nothing works. That third party is adamant that the signature is correct and it's RSA_SHA1, but they've been unwilling to explain the details on how they sign it and what they use to verify. So what are the proper way of dealing with this? -- Best Regards, Nikolay Kudryavtsev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160912/9468b00f/attachment.html>
