What is a Detached PKCS7 CMS Signature?
A PKCS#7 detached CMS digital signature is a cryptographic signature over data where the original content is not embedded in the signature file itself. Instead, the signature and the data remain separate — hence detached.
This format is standardized under PKCS #7 (now superseded by CMS – Cryptographic Message Syntax, RFC 5652).
What It Does
- Authenticates the data (proves it hasn't been altered)
- Verifies the identity of the signer (via their certificate)
- Does not encrypt or include the content itself
Structure
A detached PKCS#7 signature (e.g., a .p7s file) includes:
- Signature value (signed hash of the content)
- Signer's certificate
- Metadata (hash algorithm, signing time, etc.)
- Does not include the original content
Use Case Example
| Use Case | Description |
|---|---|
| Email (S/MIME) | A .p7s file is attached to the message, validating the message body |
| File signing | A signature file is stored next to a document (e.g., report.pdf + report.pdf.p7s) |
| Software signing | Used to validate software packages without embedding signature inside the file |