PKCS#7 signed-data Format
The PKCS#7 signed-data format (now part of CMS — Cryptographic Message Syntax, RFC 5652) defines a standard for digitally signing data using public key cryptography.
What It Contains
A PKCS#7/CMS signed-data object includes:
- The original data (optional)
- One or more signatures (from signers)
- The signer's certificate(s)
- Algorithm identifiers
Two Common Forms
1. Opaque Signature (Embedded)
- The signed content is embedded inside the PKCS#7 structure.
- Common for signing documents or binary blobs.
- Often seen with file extension
.p7m
Use case: Securely transmit signed content in a single file.
2. Detached Signature
- Only the signature and metadata are in the PKCS#7 object.
- The original data is external and must be provided separately for verification.
- Often seen with file extension
.p7sor.sig
Use case: When the original file must remain unchanged or be transmitted separately (e.g., code signing, email).
Summary
| Format Type | Description |
|---|---|
| Opaque | Signature includes original data |
| Detached | Signature refers to external data |