As someone already mentioned in the previous comment it didn't work for me until I passed in that hidden sixth argument and also explicitly add the mime header into the $in_filename contents. (I am using PHP5)
$data = file_get_contents($in_filename);
file_put_contents($in_filename, "MIME-Version: 1.0\nContent-Disposition: attachment; filename=\"smime.p7m\"\nContent-Type: app
lication/x-pkcs7-mime; name=\"smime.p7m\"\nContent-Transfer-Encoding: base64\n\n$data");
openssl_pkcs7_verify("$in_filename",
$flag,
"$out_filename.cert",
array($path_to_cert),
$path_to_cert,
$out_filename));