Signature trust establishment failed for metadata entry

Nate Klingenstein ndk at
Mon Jun 29 22:24:59 UTC 2020


It looks like they're just signing their own metadata using their own SP keypair, so you're really not getting any value from that embedded signature anyway.  The real trust establishment is out of band.  You can safely remove it and I don't really know why they'd do it in the first place.

As a general note, if were signed by a third party that you both consider trustworthy and you could rely on that for trust establishment, then you would want to load it separately and validate it with the third party's public key.

Take care,

Signet, Inc. ®
The Art of Access ®

-----Original message-----
> From: Mak, Steve
> Sent: Monday, June 29 2020, 3:41 pm
> To: Shib Users
> Subject: RE: Signature trust establishment failed for metadata entry
> is there a security issue by removing that SP own/embeded signature (provider by the partner) , as long as I resign it on my side with my "federation-agregrate" ?
> It could mean the file was modified after the signature was generated, which is why the validation is failing. Or the person providing the file doesn’t completely understand xml signatures.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list