I want to sign plaintext using a SQL Server certificate and then verify that signature using the certificate's public key on an external system. Here's what I've tried.

```tsql
-- Create a self-signed certificate
CREATE CERTIFICATE MyCert WITH SUBJECT = 'Integrations';

-- Output the public certificate
SELECT [der_hex] = CERTENCODED(CERT_ID('MyCert'));
```

Using CyberChef, I can convert this binary output into a PEM format and also verify that it parses as a X.509 certificate with an RSA public key: [CyberChef example][1].

After writing this PEM-format certificate to a file, then using `openssl` I can extract this RSA Public Key in PEM format:

```
% openssl x509 -inform pem -in cert.pem -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvHYJf/jNWetCyySQBWVO
S9M8maFmMQXOZDG2eXHsw92rCjhNbtFsWBi077rQrN/zAXuiiWC1oFAwHMOrMleI
jZCaghqdBr9HI5IbCe1eZvucg3K+AfLx3iZ9zr//HSh+0bKVScWW9POW19F2F8z/
uIWnHDOXEDO0BrZ7W9thl0WRaY+dG8jPtQSxL8fVhcho1g6fF3vmD1zpiIHmAiZI
h0np0rdYQ/pj8aK7jRLgPlsz4JqQ5JZBhtLmxK5Vz6OZ6+ocqfltmuL0f5wGbd8M
e2qmXcBB6DFJm4xs+Ey7FqSjAMFiMBNYWt2NbEeAKHxBjXOjM0vbtGaVyT8uaSJW
JQIDAQAB
-----END PUBLIC KEY-----
```

Now, I can have SQL Server sign some data:

```tsql
SELECT [signature] = SIGNBYCERT(CERT_ID('MyCert'), 'hello');
```

And now, again using CyberChef, I want to verify the signature against the same plaintext using the public key: [CyberChef example][2].

Unfortunately, this signature does not verify and I'm unable to figure out where I'm going wrong. [The documentation for `SIGNBYCERT()`](https://docs.microsoft.com/en-us/sql/t-sql/functions/signbycert-transact-sql?view=sql-server-2016) is not exactly tremendous, in that it is not specific about any particular standards or formats that are used to generate the signature.

I am assuming that it is an RSA signature by virtue of the metadata in the certificate used to create the signature. But I recognize that this could be an issue of text encoding; I'm sure the text I'm verifying in CyberChef is UTF-8, and nowhere in the SQL code have I declared what text encoding to use when generating the signature -- and indeed, if I pass in `N'hello'` instead of `'hello'`, the signature output changes.

However, this seems to be a moot point since when attempting to verify a signature in CyberChef, the error I receive is `Error: Encryption block is invalid.` This would indicate an issue with the signature format, not with the data simply not validating -- valid or invalid data instead would receive a `Verification failure` or `Verified OK` message. [This GitHub issue](https://github.com/digitalbazaar/forge/issues/316) indicates it could be a difference in padding algorithm. I think I am also concerned about the internal structure of SQL Server's signature output not being "formatted" the right way, but I am not really knowledgeable enough to know how far-fetched that is.

Assuming that nothing super proprietary is going on here, what do I have to do to verify a SQL Server signature with external systems?

[1]: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Hex('Space',0)Hex_to_PEM('CERTIFICATE')Parse_X.509_certificate('PEM'/breakpoint)&input=MHgzMDgyMDJCNjMwODIwMTlFQTAwMzAyMDEwMjAyMTA1RDc1QTJBMkU4MzA5RDk4NDcwRUU3MDIxOTAyNzIyMDMwMEQwNjA5MkE4NjQ4ODZGNzBEMDEwMTA1MDUwMDMwMTczMTE1MzAxMzA2MDM1NTA0MDMxMzBDNDk2RTc0NjU2NzcyNjE3NDY5NkY2RTczMzAxRTE3MEQzMjMxMzAzNjMwMzQzMjMyMzMzMjM0MzQ1QTE3MEQzMjMyMzAzNjMwMzQzMjMyMzMzMjM0MzQ1QTMwMTczMTE1MzAxMzA2MDM1NTA0MDMxMzBDNDk2RTc0NjU2NzcyNjE3NDY5NkY2RTczMzA4MjAxMjIzMDBEMDYwOTJBODY0ODg2RjcwRDAxMDEwMTA1MDAwMzgyMDEwRjAwMzA4MjAxMEEwMjgyMDEwMTAwQkM3NjA5N0ZGOENENTlFQjQyQ0IyNDkwMDU2NTRFNEJEMzNDOTlBMTY2MzEwNUNFNjQzMUI2Nzk3MUVDQzNEREFCMEEzODRENkVEMTZDNTgxOEI0RUZCQUQwQUNERkYzMDE3QkEyODk2MEI1QTA1MDMwMUNDM0FCMzI1Nzg4OEQ5MDlBODIxQTlEMDZCRjQ3MjM5MjFCMDlFRDVFNjZGQjlDODM3MkJFMDFGMkYxREUyNjdEQ0VCRkZGMUQyODdFRDFCMjk1NDlDNTk2RjRGMzk2RDdEMTc2MTdDQ0ZGQjg4NUE3MUMzMzk3MTAzM0I0MDZCNjdCNUJEQjYxOTc0NTkxNjk4RjlEMUJDOENGQjUwNEIxMkZDN0Q1ODVDODY4RDYwRTlGMTc3QkU2MEY1Q0U5ODg4MUU2MDIyNjQ4ODc0OUU5RDJCNzU4NDNGQTYzRjFBMkJCOEQxMkUwM0U1QjMzRTA5QTkwRTQ5NjQxODZEMkU2QzRBRTU1Q0ZBMzk5RUJFQTFDQTlGOTZEOUFFMkY0N0Y5QzA2NkRERjBDN0I2QUE2NURDMDQxRTgzMTQ5OUI4QzZDRjg0Q0JCMTZBNEEzMDBDMTYyMzAxMzU4NUFERDhENkM0NzgwMjg3QzQxOEQ3M0EzMzM0QkRCQjQ2Njk1QzkzRjJFNjkyMjU2MjUwMjAzMDEwMDAxMzAwRDA2MDkyQTg2NDg4NkY3MEQwMTAxMDUwNTAwMDM4MjAxMDEwMDA3QjQ4NjFDREVGNDRBMkQwNEQwRTczNEJDNkYwNzVEM0QzQUEyQUY2NTY4Q0ExOUEzOUQ2NDQ0NkY4NDc0MDM4OERERkQzOEE2NjgyODMzNjQ2QTcyQzI5RDU3Mzg5RjZGODc5RjJDN0ZEMzlCQTA4QTNCMzc4QTRCOTZBNENGNUREMDAzNzcyQUM0NDkxN0RDMjAzN0U1MzIyRUJEOTMyNjlGQzRDMkREN0M5Q0VGNzNGOTc3NTEwRjA3RkE2MDZGN0RDM0U3OEMzMTUyM0FDRjQ4QTA0NzgwQzlENjhCNUQ0RjIxNzNFNEM3NDQxMkY0RjY5NTM5OTJBRUM4MjVFRDJFRTFEMTY4NTQ5RDBBNEY5NDlERDNDNkE4MzM0ODUxMkY2M0VFNTlDMDlDMkQ2MzI2QUFBRkFBOEJBOUQ1QjJGNjI3MkY1QkQ4ODNFQzQwQ0E4NkEzODU4QzRBMUNGRDMyNzZDMzgzNEUwQzk2QzNFMUUyRjQ4QkZFOERGQzUzMDg1QzJCODgyRDdEQjk0ODU0Qzk0RDEwNEM5NUUxODA1QkQxODNEMjQwRUNCNTU2QTAxNkQwMzZCRjU4OThGOTMzRjgxNzlERTJDMjBEQzcwQzc5NkRFQzQ2NURERTgwOTUzQUY3MUYyRkI4QjBDRDY0NjY2NjI1RURFQzUx

[2]: https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')RSA_Verify('-----BEGIN%20PUBLIC%20KEY-----%5CnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvHYJf/jNWetCyySQBWVO%5CnS9M8maFmMQXOZDG2eXHsw92rCjhNbtFsWBi077rQrN/zAXuiiWC1oFAwHMOrMleI%5CnjZCaghqdBr9HI5IbCe1eZvucg3K%2BAfLx3iZ9zr//HSh%2B0bKVScWW9POW19F2F8z/%5CnuIWnHDOXEDO0BrZ7W9thl0WRaY%2BdG8jPtQSxL8fVhcho1g6fF3vmD1zpiIHmAiZI%5Cnh0np0rdYQ/pj8aK7jRLgPlsz4JqQ5JZBhtLmxK5Vz6OZ6%2BocqfltmuL0f5wGbd8M%5Cne2qmXcBB6DFJm4xs%2BEy7FqSjAMFiMBNYWt2NbEeAKHxBjXOjM0vbtGaVyT8uaSJW%5CnJQIDAQAB%5Cn-----END%20PUBLIC%20KEY-----','hello','SHA-1')&input=MHg4NDk1OEIwMTA0RjhDN0FFOEQxMkVBN0ZBMDhCM0REMjNDQkE0M0VDNjM1RkY0MEYyMjBFMTgzNkIyRjAxQ0RERkUwRDk5QjJFRUREQjlCRUE5MEJFQjZFMjc0RDE4NEVDOEYyRjM2Mjc5RTRGRjc2RDU0QjQyRTAxNTVFOUIyNkVDMDA4ODRENkUzNjgwOEMzQTM0QjNEQkZDRDg1QkQyQkYxMjZGOUZDQjk3QzNDN0REMTU1RkU2MjQ1QzU2OUVGMzQ1MkJEOTc3NEQ1N0RGRDgxNUEyQzc4NkVFQUQ0NUYwQTc0RjFBMTI5QjI5NDE3OEYwOTI2RDdFRjFGOTVBOTcwQ0JGNTI0MUU3MzlGMjY0OUJDRkI5Q0NFRkQ4MDI5OENFMjcwQkI0MUU0QTMxQzAwMzM3NjI2ODJGMkU3QzNDOTYxREI3OTJFMTBENkJBNUYwQzlCMDg0RDRCQjI1QjU5MTEzMjFEQzlBRDM1QzAyNUM4MzBGQUQwRkUwNDlGNjU2QjAyRkIxQzM5NDYzM0U5NTM3NTA5MDlFQ0U4QkU5MUE2OEM4MjNCQTNBODgxMzJDMzYzMzZFMDcwRDBEQzM1ODcxMkIwOTdCQzc0MDUzQ0E5Qzk3RTVEQ0E5QkI1RTFGRkJGNUNCRURDOTEwNjIzQzg3QTE0RTZBREJBOA