Signature trust establishment failed for metadata entry

Jehan Procaccia jehan.procaccia at
Mon Jun 29 21:36:03 UTC 2020

Le 29/06/2020 à 16:03, Peter Schober a écrit :
> * Jehan Procaccia <jehan.procaccia at> [2020-06-29 15:33]:
>> is the trust in signature failing because of the "Federation"
>> aggregation signing (which I doubt beacause when I remove that
>> specific SP , others aggreted don't complained ) or because of that
>> specific SP embeded certificate/sign-keys ?
> Not "because of that specific SP embeded certificate/sign-keys", but
> "because of that specific SP's embeded Signature element", AFAIU.
> I.e., if you're adding individually signed entities to your local
> aggregate I'd remove the signatures from all entities (possibly after
> first validating it, if that makes sense, e.g. if you recieved a
> trustworthy copy of the verification certificate out of bounds) except
> for the enclosing EntitiesDescriptor one.
> (All metadata consumers should be able to verify all included
> Signatures on any entities. If that cannot be ensured you should
> remove those signatures.)
> -peter

OK I removed the Signature element :

<ds:Signature xmlns:ds="  ... 
<ds:SignatureValue>Cu8YF...ODA=</ds:SignatureValue> </ds:KeyInfo> 

   from that specific SP's, and kept signing myself the agregate (in 
this case for that only one SP)

/./ --sign --inFile fede-imt-ext-recruitee-unsigned.xml  
--outFile Downloads/fede-imt-ext-recruitee-signed.xml --certificate 
../ssl/fede-cert.pem --key ../ssl/fede-key.pem/

and now it does load ;-)

/2020-06-29 23:24:23,221 - INFO 
- Metadata Resolver FileBackedHTTPMetadataResolver fedeIMTextRecruitee: 
New metadata successfully loaded for 

Thanks a lot for the help .

is there a security issue by removing that SP own/embeded signature 
(provider by the partner) , as long as I resign it on my side with my 
"federation-agregrate" ?

regards . /

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list