Hello, I'm new to this list. I'm using pkcs7 packages to embbed firmware, to procide authenticity verification before doing firmware upgrades. I use the openssl cms command for verification purpose, but face the following problem : when doing verify, openssl cms -verify does check whether the signing certificate is valid today, not whether or not it was still valid when the package got signed. I saw the -attime option to specify the verification date, but found no easy way to fetch the signature date from the package for each signature. So I was wondering if it was the intended function that the certificate validity verification was made at the verification date and not the signature date. Thanks François
