Signature trust establishment failed for metadata entry

Peter Schober peter.schober at
Mon Jun 29 14:03:55 UTC 2020

* Jehan Procaccia <jehan.procaccia at> [2020-06-29 15:33]:
> "checking"  (--validateSchema) that SP metadata (MD)  alone doesn't
> show problems though :

If you suspect an invalid signature (because the IDP software told you
the signature is invalid) you can't expected disabling signature
validation in XmlSecTool to show anything.

> is the trust in signature failing because of the "Federation"
> aggregation signing (which I doubt beacause when I remove that
> specific SP , others aggreted don't complained ) or because of that
> specific SP embeded certificate/sign-keys ?

Not "because of that specific SP embeded certificate/sign-keys", but
"because of that specific SP's embeded Signature element", AFAIU.

I.e., if you're adding individually signed entities to your local
aggregate I'd remove the signatures from all entities (possibly after
first validating it, if that makes sense, e.g. if you recieved a
trustworthy copy of the verification certificate out of bounds) except
for the enclosing EntitiesDescriptor one.
(All metadata consumers should be able to verify all included
Signatures on any entities. If that cannot be ensured you should
remove those signatures.)


More information about the users mailing list