...
https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home
Procedure
Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.
Code Block curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36
Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu
).Code Block curl --silent --output ucdavis-metadata.xml \ http://mdq.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu
Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+HomeCode Block title xmlsectool xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq.pem
https://www.aleksey.com/xmlsec/
Code Block title xmlsec1 xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \ --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml