[xmlsec] Certificate priority in verifying signatures

[Aleksey Sanin]

>
> Apparently, the embedded certificate takes precedence over the one
> specified in the command line!
> Since I am new to concepts related to xml signing, there may be
> something I'm overlooking here, but if my analysis is correct, this is a
> serious issue as users would be misled into thinking that
> roguemetadata.xml is signed by signer_bundle.pem while it is not.


Read the xml digital signature spec :)

Aleksey