Note: The MDQ beta service retired May 1, 2019. The production MDQ service went live July 9, 2019.
References
https://spaces.at.internet2.edu/display/MDQ
https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home
Procedure
Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.
curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36
Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu
).curl --silent --output ucdavis-metadata.xml \ http://mdq.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu
Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq.pem