我需要实现用SHA256和RSA生成无封装的PKCS7数据签名，目前在拥有原始内容的情况下，这段代码能正常运行：

public byte[] signRawContent(final byte[] content) throws CMSException, IOException, OperatorCreationException, CertificateEncodingException { 
    // Create generator of pkcs7-signature message 
    CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); 
    ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC").build(privateKey); 
    generator.addSignerInfoGenerator( 
        new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(signer, certificate)); 
    generator.addCertificate(new X509CertificateHolder(certificate.getEncoded())); 
    CMSTypedData cmsTypedData = new CMSProcessableByteArray(content); 
    CMSSignedData cmsSignedData = generator.generate(cmsTypedData, false); 
    return cmsSignedData.getEncoded(); 
}

但现在遇到了另一种场景：我没有原始内容，只持有它的SHA256哈希值。由于BouncyCastle不支持在PKCS7签名中直接使用NONEwithRSA或RSA算法，我尝试自定义ContentSigner来跳过哈希步骤，但生成的签名和基于原始内容生成的签名始终不一致，目前写的代码片段如下：

public byte[] signHash(final byte[] sha256) throws IOException, OperatorCreationException, CertificateEncodingException, CMSException { 
    // Create generator of pkcs7-signature message 
    CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); 
    // custom content signer to bypass hash 
    ContentSigner signer = new Conte...

我想知道怎么正确实现基于SHA256哈希值生成和原始内容版本一致的无封装PKCS7签名？

内容的提问来源于stack exchange，提问作者mika91