From 26aea6f87e4d8cdf65d8382c5b7083123e3f8cef Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Sat, 7 Oct 2023 17:09:47 +0200
Subject: [PATCH] fixup! PKCS7 and SMIME: improve documentation w.r.t.
 untrusted and signer certificates

---
 doc/man3/PKCS7_verify.pod | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod
index 4d1b230ac2977..330405aadc1f9 100644
--- a/doc/man3/PKCS7_verify.pod
+++ b/doc/man3/PKCS7_verify.pod
@@ -28,9 +28,13 @@ Otherwise I<indata> should be NULL, and then the signed data must be in I<p7>.
 The content is written to the BIO I<out> unless it is NULL.
 I<flags> is an optional set of flags, which can be used to modify the operation.
 
-PKCS7_get0_signers() retrieves the signer certificates from I<p7>, it does
+PKCS7_get0_signers() retrieves the signer certificates from I<p7>
+by matching the pairs of certificate issuer and serial number contained in
+the SignerInfos with available candidate signer certifcates. It does
 B<not> check their validity or whether any signatures are valid. The I<certs>
 and I<flags> parameters have the same meanings as in PKCS7_verify().
+If the result is not NULL, the caller must free the structure returned using
+sk_X509_free(), but must not free the certificates included there.
 
 =head1 VERIFY PROCESS