Why OpenSSL tools can successfully verify a not signed file?

Question

I have two files with the same content: msg.txt and msg2.txt. The msg.txt was signed, msg2.txt - was not signed. But I see both files passes the signature validation.

Why is it so? I thought if I sign a file, the signature should be attached somewhere to the file. But hexdump shows there is no difference between the files.

msg.txt

$ hexdump -C msg.txt
00000000 48 69 0a                     |Hi.|
00000003

msg2.txt

$ hexdump -C msg2.txt 
00000000 48 69 0a                     |Hi.|
00000003

Now every new file which contains "Hi" word only can be successfully verified. What if another user creates a file with a "Hi" word?!

Steps to reproduce:

1. Create a self-signed PEM certificate-key pair

openssl req -x509 -sha512 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 

2. Create files

$ echo "Hi" > msg.txt
$ echo "Hi" > msg2.txt

3. Sign msg.txt

$ openssl dgst -sha512 -sign key.pem -out /tmp/signature msg.txt
$ openssl base64 -in /tmp/signature -out signature

4. Verify msg.txt signature

$ openssl base64 -d -in signature -out /tmp/signature
$ openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
$ openssl dgst -sha512 -verify pubkey.pem -signature /tmp/signature msg.txt
Verified OK

5. Verify msg2.txt signature

$ openssl dgst -sha512 -verify pubkey.pem -signature /tmp/signature msg2.txt
Verified OK

Answer 1

I thought if I sign a file, the signature should be attached somewhere to the file.

You explicitly put the signature into the separate file /tmp/signature which you later used when validating the signature - which explains why the signature was not part of the file.

And you did not sign a file but you signed the contents of a file - which explains why the signature can be applied to two separate files which have exactly the same contents.