metadata-support - Re: [Metadata-Support] signature verification fails with newly signed metadata
Subject: InCommon metadata support
List archive
- From: Tom Scavo <>
- To: "" <>
- Cc: Mike Manske <>, "" <>
- Subject: Re: [Metadata-Support] signature verification fails with newly signed metadata
- Date: Tue, 22 Mar 2016 17:32:17 -0400
Branson, your message was trapped in the queue because you're not
subscribed to the metadata-support mailing list:
https://lists.incommon.org/sympa/info/metadata-support
The issue you experienced earlier today was caused by bogus characters
in an <mdui:Description> element in an entity descriptor imported from
eduGAIN. The problem began when we signed metadata at ~9:00 am ET
today. The bogus characters were gone by the time we signed metadata
at ~3:00 pm ET today. Here is a portion of the diff before and after
the 3:00 pm signing:
- <mdui:Description xml:lang="en">Off Campus Partners
simplifies the off-campus housing
- search process for universities, property managers, and students. Our
- software platform powers the off-campus housing listing service at
the
- nation's leading universities.</mdui:Description>
+ <mdui:Description xml:lang="en">Off Campus Partners
simplifies the off-campus housing search process for universities,
property managers, and students. Our software platform powers the
off-campus housing listing service at the nation's leading
universities.</mdui:Description>
If your SP is still having an issue, clear the backing file and
restart the SP to fix the issue.
Hope this helps,
Tom
On Tue, Mar 22, 2016 at 12:50 PM, Branson C Stephens
<>
wrote:
>
> I restarted shibd a bit earlier this morning (after your 9 AM EDT special
> signing), and I found that I had to turn
> off the signature verification in order for it to work. I saw this in the
> logs:
>
> 2016-03-22 10:11:15 INFO OpenSAML.MetadataProvider.XML : reload thread
> started...running every 82800 seconds
> 2016-03-22 10:11:15 INFO OpenSAML.MetadataProvider.XML : remote resource
> (http://md.incommon.org/InCommon/InCommon-metadata.xml) unchanged, adjusted
> reload interval to 28800 seconds
> 2016-03-22 10:11:15 INFO OpenSAML.MetadataProvider.XML : using local backup
> of remote resource
> 2016-03-22 10:11:16 INFO OpenSAML.MetadataProvider.XML : loaded XML
> resource (/var/cache/shibboleth/InCommon-metadata.xml)
> 2016-03-22 10:11:19 INFO OpenSAML.Metadata : applying metadata filter
> (Signature)
> 2016-03-22 10:12:05 WARN OpenSAML.MetadataFilter.Signature : filtering out
> group at root of instance after failed signature check: Unable to verify
> signature with supplied key(s).
> 2016-03-22 10:12:05 INFO OpenSAML.MetadataProvider.XML : reload thread
> started...running every 28800 seconds
> 2016-03-22 10:12:05 CRIT OpenSAML.Metadata.Chaining : failure initializing
> MetadataProvider: SignatureMetadataFilter unable to verify signature at
> root of metadata instance.
>
> I hadn’t made any changes to the cert inc-md-cert.pem, so this seemed
> strange. I just wanted to let you know in case there is an issue.
>
> best,
> Branson
>
>
- [Metadata-Support] signature verification fails with newly signed metadata, Branson C Stephens, 03/22/2016
- Re: [Metadata-Support] signature verification fails with newly signed metadata, Tom Scavo, 03/22/2016
Archive powered by MHonArc 2.6.16.