...

https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key

https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home

Procedure

1. Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.

   Code Block
   curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36

   
   

2. Fetch the UC Davis IdP metadata (SAML entity ID urn:mace:incommon:ucdavis.edu).

   Code Block
   curl --silent --output ucdavis-metadata.xml \ http://mdq.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu

   
   

3. Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
   
   https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home

   Code Block
   title xmlsectool
   xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq.pem

   https://www.aleksey.com/xmlsec/

   Code Block
   title xmlsec1
   xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \ --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml