The details of the content actually hashed and signed into CMS message depend to some extent on the technology used. Some technologies will represent string data as UNICODE-encoded bytes, while others will simply use text data as ANSI data (one character per byte). This can cause confusion in the process of verifying detached CMS signatures if the verification program is not aware of how the content data was originally represented for hashing and signing.
The WSH vbs script VerifyPKCS7.vbs is a utility which demonstrates one approach to verifying CMS/pkcs#7 signature messages which should cover most of the common cases:
The signature alone is first verified and if successful, signature verification is attempted including the certificate chain validity and
the date validity of the signature (relative to a timestamp, if included with the signature, or the validity period of the certificate).
For detached signatures, several consecutive attempts are made to verify the CMS
signature (and validate the associated certificates) using typical scenarios (UNICODE,
ANSI, raw binary bytes). The detailed status of the verification is displayed, including
error codes for various attempts at verification, if the Verbose variable is True
(default is False). The status of the verification is displayed in a message box window.