verifysig.py

import base64
import ecdsa
import requests
import cryptography.x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.hashes import SHA384
from cryptography.hazmat.primitives.asymmetric import ec as cryptography_ec
from cryptography.hazmat.primitives.asymmetric.utils import encode_dss_signature


x5u = "https://content-signature-2.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-2019-12-24-21-43-28.chain"
signature_b64 = "80aDcD0HGWOoFHzKv3wMnfxMqgrb24Bz9G0w-87yDWaAIuj6vyCtybIl8lhE8gqmNPqSxPGCTpGqNiuW_J6_pZ2AyMRy_WN2l7asraSh5giBwKCXn6anOF8M2PsjNSi4"
data = b"""Content-Signature:\x00{"data":[],"last_modified":"1485794868067"}"""

# Fetch PEM
resp = requests.get(x5u)
cert_pem = resp.text.encode("utf-8")
# Parse PEM
cert = cryptography.x509.load_pem_x509_certificate(cert_pem, default_backend())
public_key = cert.public_key()

# Instantiate signature
signature_bytes = base64.urlsafe_b64decode(signature_b64)
r, s = ecdsa.util.sigdecode_string(signature_bytes, order=ecdsa.curves.NIST384p.order)
signature = encode_dss_signature(r, s)

# Verify
public_key.verify(signature, data, cryptography_ec.ECDSA(SHA384()))
print("Signature OK")