Fixes: #21

This change fixes the verification of PKCS#7 signatures by using Node.js's built-in crypto module instead of node-forge by:

1. Still parsing the PKCS#7 ASN.1 structure with node-forge
2. Verifying the messageDigest authenticated attribute matches the content has calculated with Node.js's crypto.createHash()
3. Verifying the RSA signature over the authenticated attributes using Node.js's crypto.createVerify()

Additionally, self-signed certificates now return "self-signed" status without requiring OS chain verification. This is not a functional change but a small optimization.

Motivation and Context

node-forge's pkcs7.verify() is not implemented and always throws with the following message: "PKCS#7 signature verification not yet implemented.". This caused mcpb verify and mcpb info to report all signed bundles as unsigned.

How Has This Been Tested?

The changes have been tested by running the existing test suite located at test/sign.e2e.test.ts, as well as by manually running the pack, sign, info, and verify CLI commands on the test servers under examples/hello-world-node in this repository.

Breaking Changes

No breaking changes are introduced; existing functionality remains intact.

Types of changes

• Bug fix (non-breaking change which fixes an issue)

• New feature (non-breaking change which adds functionality)

• Breaking change (fix or feature that would cause existing functionality to change)

• Documentation update

Checklist

• I have read the MCP Documentation

• My code follows the repository's style guidelines

• New and existing tests pass locally

• I have added appropriate error handling

• I have added or updated documentation as needed

Additional context

The implementation addresses the limitation of the node-forge library regarding PKCS#7 signature verification by using a custom function that adheres to RFC 5652 specifications.