Use the PKCS7 signature to verify the instance identity document

This topic explains how to verify the instance identity document using the PKCS7 signature and the AWS DSA public certificate.

To verify the instance identity document using the PKCS7 signature and the AWS DSA public certificate

Connect to the instance.

Retrieve the PKCS7 signature from the instance metadata and add it to a new file named pkcs7 along with the required header and footer. Use one of the following commands depending on the IMDS version used by the instance.

Find the DSA public certificate for your Region in AWS public certificates and add the contents to a new file named certificate.
Use the OpenSSL smime command to verify the signature. Include the -verify option to indicate that the signature needs to be verified, and the -noverify option to indicate that the certificate does not need to be verified.
```
$ openssl smime -verify -in pkcs7 -inform PEM -certfile certificate -noverify | tee document
```
If the signature is valid, the Verification successful message appears.

The command also writes the contents of the instance identity document to a new file named document. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.
```
$ openssl dgst -sha256 < document
```
```
$ curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256
```
If the signature cannot be verified, contact AWS Support.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Instance identity documents

Verify using the base64-encoded signature