[xmlsec] Certificate priority in verifying signatures
aleksey at aleksey.com
Wed Feb 9 10:58:22 PST 2011
> Apparently, the embedded certificate takes precedence over the one
> specified in the command line!
> Since I am new to concepts related to xml signing, there may be
> something I'm overlooking here, but if my analysis is correct, this is a
> serious issue as users would be misled into thinking that
> roguemetadata.xml is signed by signer_bundle.pem while it is not.
Read the xml digital signature spec :)
More information about the xmlsec