> On Apr 6, 2017, at 5:16 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > >> $ openssl cms -verify -verify_retcode -CAfile ~/Certs/Our_Root_CA.pem -inform SMIME -signer $author -in ~/Documents/test-smime-decr.txt > > I saw no numeric code – but no error either. The "numeric code" is the *exit* status of the program. You can find it in "$?" directly after the execution of the command (in any POSIX shell). > Yes, thanks! Done that. Checks out correctly. > > Further issues arise if the data is expected to remain verifiable > past the lifetime of the signer's certificate. It that case, it > should be verified on arrival and re-encrypted for long-term > storage using an integrity protection mechanism that does not > depend on the long-term validity of the signer's key. > > This is the trickiest one. > > With Java code signing tool (aka “jarsigner”) I can provide a “digital > notary” – timestamping authority that would digitally sign a timestamp > to deal with this “past the lifetime of the signer’s certificate” issue. > Done with “-tsa https://whatever.timestamping.authority.com”; > > Is there an equivalent, either in openssl tool itself, or in the email > clients that you know of? I don't know of any email clients that handle this properly, and I'm not familiar with the openssl time stamping CLI. The manpage is at: https://www.openssl.org/docs/man1.0.2/apps/ts.html https://www.openssl.org/docs/man1.1.0/apps/ts.html -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
