The Signing
You can see the message to be signed by using the xxd command on the base64 encoded message :
xxd -l 64 <(base64 -d <<< cHJvb2Ygb2YgcHJpdmF0ZSBrZXkgY3RybDtub25jZS1aub2puDlP6jhTHgCx27YMFWKhQUVXFIDdxnFkjPGKKAMAF0EEVlO1Afskc+N/82BMOEvWUIaJNvyvAeniaqtA6oZGHG0sBXIioShZl0V94BZQ2u5/cF3rBoyEyZINfD6AgwWQ9A==)
The message itself is hashed using SHA–256:
And that hash is then signed using the key (openssl creates the hash itself, so you still have to pass in the full message rather than just the hash):
Verification:
Here are the steps to verify the signature from a Linux command line console:
1) Download cert:
wget -O 349531041.cer https://crt.sh/?d=349531041
2) Run the OpenSSL dgst command to show that the signature is valid
openssl dgst -sha256 -verify <pubkey> -signature <signature> <message>
Paste the following into a terminal, and the message that returns out will say that the signature is verified!
wget -O 349531041.cer https://crt.sh/?d=349531041
openssl dgst -sha256 -verify <(openssl x509 -in 349531041.cer -pubkey -noout) -signature <(base64 -d <<< MEYCIQDCKIiTYVoKVbWN67jx2WvO455Iks/B7KgfW0xVWaheKQIhANwHWLNGeAoQeYIIwhjvXJ23I1L+bzZRzEPpb/QdJfaz) <(base64 -d <<< cHJvb2Ygb2YgcHJpdmF0ZSBrZXkgY3RybDtub25jZS1aub2puDlP6jhTHgCx27YMFWKhQUVXFIDdxnFkjPGKKAMAF0EEVlO1Afskc+N/82BMOEvWUIaJNvyvAeniaqtA6oZGHG0sBXIioShZl0V94BZQ2u5/cF3rBoyEyZINfD6AgwWQ9A==)
And there you have it, proof.
An update to this here:
https://medium.com/@ECCTLS/how-to-sign-with-googles-private-key-5b8e99abcdb3