PKCS#7 signed-data with Multiple Signers
PKCS#7 signed-data (now part of CMS, RFC 5652) supports multiple signers, allowing the same content to be signed by more than one certificate. This is useful in workflows like co-signing, approval chains, or dual-signature requirements.
How It Works (internal to Chilkat)
- The content is hashed using a digest algorithm (e.g., SHA-256).
- Each signer uses their private key to sign that hash.
- For each signer, the structure includes:
- The signer’s identifier (issuer and serial number or subject key identifier)
- The digest algorithm used
- The actual signature
- Optionally, signed attributes (e.g., signing time, message digest)
- All signatures and signer metadata are bundled into a single
SignedDataobject.
Resulting Structure Contains:
- The original content (if not detached)
- A
certificateslist (may include all signers' certificates) - A
signerInfoslist — one per signer
Summary
PKCS#7 signed-data supports multiple signatures by including multiple SignerInfo entries, each linking to a certificate and containing an independent signature over the same content.
This allows independent validation of each signer’s identity and signature.