The sequence of commands I am running is:
$ aws kms sign --key-id 29245e92-1763-4369-871b-d8646e23c40a --message "Hello world!" --signing-algorithm RSASSA_PSS_SHA_256
{
"KeyId": "arn:aws:kms:eu-west-2:445875827267:key/29245e92-1763-4369-871b-d8646e23c40a",
"Signature": "T8eYRCTFuigdnHCuYytLscu9EGcdg9UJupPwVB1F3vEENgnkQR37ZPbn5nPr6CTahX+AXTXLFXf8trxRHKoy8997vfuyMaH3RwhFYBDJiAYdJQeBWSyqw5TIwOAnjAYNwJHuX2N8RY2+yKA1vHARNtOiHUesrc/+6eMbaf+ZTJEhY3aIuThW3cjCjnWSoaC44NIMuXfTOVMBhfoKuMW+IZSjH4cCxgj1MaR2sumnCwRW6irTRQOo/NBaxV/8NUWO9RMavDyFpeoxotNGFK0MNhbia4wkady5Dw0orWZSMI30kly66I5ubu+wVgX14GLIiSZofd9Y7RzHmvxL2MTxiQ==",
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}
$ aws kms verify --key-id 29245e92-1763-4369-871b-d8646e23c40a --message "Hello world!" --signature T8eYRCTFuigdnHCuYytLscu9EGcdg9UJupPwVB1F3vEENgnkQR37ZPbn5nPr6CTahX+AXTXLFXf8trxRHKoy8997vfuyMaH3RwhFYBDJiAYdJQeBWSyqw5TIwOAnjAYNwJHuX2N8RY2+yKA1vHARNtOiHUesrc/+6eMbaf+ZTJEhY3aIuThW3cjCjnWSoaC44NIMuXfTOVMBhfoKuMW+IZSjH4cCxgj1MaR2sumnCwRW6irTRQOo/NBaxV/8NUWO9RMavDyFpeoxotNGFK0MNhbia4wkady5Dw0orWZSMI30kly66I5ubu+wVgX14GLIiSZofd9Y7RzHmvxL2MTxiQ== --signing-algorithm RSASSA_PSS_SHA_256
An error occurred (KMSInvalidSignatureException) when calling the Verify operation:
Surely this should work? What am I missing here?
Solved from Anon's Comment except need to use fileb:// instead:
e.g.
$aws kms verify --key-id 29245e92-1763-4369-871b-d8646e23c40a --message "Hello world!" --signature fileb://raw.sig --signing-algorithm RSASSA_PSS_SHA_256
{
"KeyId": "arn:aws:kms:eu-west-2:445875827267:key/29245e92-1763-4369-871b-d8646e23c40a",
"SignatureValid": true,
"SigningAlgorithm": "RSASSA_PSS_SHA_256"
}