diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index 372ac9dab..8d1f6d91c 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -71,6 +71,11 @@ command = {
 		type = "flag"
 		help = "wrapped out-data in a ContentInfo"
 	}
+	option = {
+		long = "detached-signature"
+		type = "flag"
+		help = "create a detached signature"
+	}
 	min_args="2"
 	max_args="2"
 	argument="in-file out-file"
@@ -107,6 +112,11 @@ command = {
 		type = "flag"
 		help = "unwrap in-data that's in a ContentInfo"
 	}
+	option = {
+		long = "signed-content"
+		type = "string"
+		help = "file containing content"
+	}
 	min_args="2"
 	max_args="2"
 	argument="in-file out-file"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index ef378271f..181dfbd23 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -88,7 +88,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 {
     hx509_verify_ctx ctx = NULL;
     heim_oid type;
-    heim_octet_string c, co;
+    heim_octet_string c, co, signeddata, *sd = NULL;
     hx509_certs store = NULL;
     hx509_certs signers = NULL;
     hx509_certs anchors = NULL;
@@ -108,6 +108,13 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
     if (ret)
 	err(1, "map_file: %s: %d", argv[0], ret);
 
+    if (opt->signed_content_string) {
+	ret = _hx509_map_file_os(opt->signed_content_string, &signeddata, NULL);
+	if (ret)
+	    err(1, "map_file: %s: %d", opt->signed_content_string, ret);
+	sd = &signeddata;
+    }
+
     ret = hx509_verify_init_ctx(context, &ctx);
 
     ret = hx509_certs_init(context, "MEMORY:cms-anchors", 0, NULL, &anchors);
@@ -136,7 +143,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 
     hx509_verify_attach_anchors(ctx, anchors);
 
-    ret = hx509_cms_verify_signed(context, ctx, co.data, co.length,
+    ret = hx509_cms_verify_signed(context, ctx, co.data, co.length, sd,
 				  store, &type, &c, &signers);
     if (co.data != p)
 	der_free_octet_string(&co);
@@ -167,6 +174,8 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 
     der_free_octet_string(&c);
     _hx509_unmap_file(p, sz);
+    if (sd)
+	_hx509_unmap_file_os(sd);
 
     return 0;
 }
@@ -182,7 +191,7 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     hx509_cert cert;
     size_t sz;
     void *p;
-    int ret;
+    int ret, flags = 0;
 
     contentType = oid_id_pkcs7_data();
 
@@ -205,6 +214,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     } else
 	anchors = NULL;
 
+    if (opt->detached_signature_flag)
+	flags |= HX509_CMS_SIGATURE_DETACHED;
+
     ret = hx509_query_alloc(context, &q);
     if (ret)
 	errx(1, "hx509_query_alloc: %d", ret);
@@ -225,6 +237,7 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
 	err(1, "map_file: %s: %d", argv[0], ret);
 
     ret = hx509_cms_create_signed_1(context,
+				    flags,
 				    contentType,
 				    p,
 				    sz, 
@@ -369,7 +382,7 @@ cms_create_enveloped(struct cms_envelope_options *opt, int argc, char **argv)
     if (ret)
 	errx(1, "hx509_certs_find: %d", ret);
 
-    ret = hx509_cms_envelope_1(context, cert, p, sz, enctype, 
+    ret = hx509_cms_envelope_1(context, 0, cert, p, sz, enctype, 
 			       oid_id_pkcs7_data(), &o);
     if (ret)
 	errx(1, "hx509_cms_envelope_1: %d", ret);