Metadata signature accepted by xmlsectool, not by SP

Ian Bobbitt ibobbitt at
Mon May 9 16:53:20 EDT 2016

On 5/9/16 4:38 PM, Cantor, Scott wrote:
>> I nave validation configured on the MetadataProvider
>>             <MetadataProvider type="XML"
>>                               uri=""
> Did you compare the file you're giving the Java code byte for byte with whatever lives at that URL?
> Hashing is would be a simple way to see if it's different at all.
> You can certainly try loading the file locally into the SP to see if that changes the results and rule out some things.

Yes, they're identical (sha1sum of f00db1acb51d235b29788fa3326ac0d811ea220b).

>> What am I doing wrong signing this? I'm wanting to use a short script to
>> assemble metadata from various SPs and sign
>> them using, but I've also tried
>> signing with xmlsectool and get the same
>> results. The SP I'm using to try to validate it is version 2.5.6 on CentOS 6.
> There's nothing I can really tell you, the only ways to debug a signature are mentioned in the wiki, but you'd have to know the spec to make much headway with it, it's about comparing the octets between various steps and being able to spot whatever is subtly changing.

Even if my script is wrong, shouldn't I be able to validate the output from xmlsectool with the SP? Is there something
better I should be using for managing this? I see you guys are writing a metadata aggregator, but it's only a dev
preview so far.

> -- Scott

More information about the users mailing list