Verifying GPG signatures of commits in *-git packages

Hi, I'm wondering if there's a way to have makepkg check the GPG signature present on git commits.
I am not talking about checking tag signatures; this is for *-git packages, which build from the HEAD revision of the repository. If all commits in that repository are signed (using 'git commit -S'), then the signature can be checked before building the package.
I have already hacked together a PKGBUILD that does this, but it's not exactly pretty. I'm wondering if there's a better way to do this, as there does seem to be some built-in GPG signature checking on regular files (triggered whenever one of the source files ends in '.asc' apparently, which is why I had to rename the key file in that PKGBUILD). It seems to be confused when used against git sources, however.
Last edited by WindPower (2013-07-10 22:42:44)

falconindy wrote:Why do you even want this? The repo itself ensures integrity.
git does pretty well at integrity, in that every git commit has a hash which is unique to the commit and which is tamper-proof in the sense that it is not computationally possible to come up with a commit that has the same hash but with a different diff attached to it. As the commit hash also covers the hash of the preceeding commit in the tree, a single commit hash is enough to guarantee the integrity of the entire source tree. However, this provides just that: integrity. It provides no authentication whatsoever. The 'git://' protocol also provides no encryption or authentication (unlike for example 'git+https://'). Therefore, there is no way to know if a repository cloned over the 'git://' protocol really is the same as what it should be, without a secure (i.e. authenticated) way of knowing what the true hash of the latest commit is. That is where signed tags and commits come in; all that is needed is to sign the hash of the latest commit, and the PKGBUILD can check if the signature matches said hash. If so, then the entire history of the repository (up to the signed commit) can be considered to be as trustworthy as the GPG key itself is.
tl;dr: git is pretty smart, but it does not provide any authentication guarantee. Signature verification solves this problem.
HalosGhost wrote:Conceptually speaking, however, this hypothetical gpgkeys=() array wouldn't list keys to be matched to the source file; instead, it would list keys with which it would be acceptable for the git repo to be signed. So, you could have multiple keys that only pertain to one source file. I would imagine it would work so that instead of putting 'SKIP' for the checksum array value of the given source repo, you would put something like 'GPG[0:2]', and then that source file would be checked for integrity using the first three keys listed in the gpgkeys array.
That would be pretty damn cool.
Last edited by WindPower (2013-07-11 03:13:53)

Similar Messages

Problem verifying xml signature

We have a problem with verifying XML Signatures which are part of a SOAP message. Thanks a lot for helping! Hope my problem is understandable - otherwise ask.
We use the following enviroment:
Java6
Axis 2 V1.2 with XML Beans
Step 1:
The Java 6 XML Signature is an enveloped signature over an element called payload with exclusive XML canonicalization. We sign the payload and send the payload including signature to the server. At first I discovered the following namespace problem.
DigesterOutputstream Create Signature:
FEINER: <Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp><Created>UNDO</Created></Timestamp></Payload>
DigesterOutput Verify Signature:
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Expected digest: 71PfJ/xxn38TtQrpZOpRdqTZsBw=
31.10.2007 08:25:48 org.jcp.xml.dsig.internal.dom.DOMReference validate
FEIN: Actual digest: B1Qdei/0yW1mqR2T50LXKFfxhl0=
Soap request with payload:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDAyNDAwPC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:34D51D9DE4B7A19DD411938151524022</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>71PfJ/xxn38TtQrpZOpRdqTZsBw=</DigestValue></Reference></SignedInfo><SignatureValue>FuhOdrz9kHR0MeAUq9Rxkg6w++7foR77s9AYQUQxb8qPJ44Ba6By8R/H+CCn5JP5cPFz8/mGOgOD NGKLgZp66xbVSWe1UeehmZLH1a2kvHsx/VvYo3Lr5foHsl6YikUBMXCBdhI4ukKJTuwBOK/7m3lu 7Zl07SFo0zWL73gUTxc=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
The problem is the namespaces under the elements payload and timestamp. For verification the namespaces are inherited from parent element. I wonder why this happens - I thought this should not happen when using exclusive canonicalization, or?
Step 2:
Then I added the namespaces before creating the signature , e.g.
payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
for all attributes that are not part of the create signature log. Then the xml signature was verify successfully when I tested this against my own server. See log files:
DigesterOutputstream for create signature:
31.10.2007 11:16:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
DigesterOutputstream verify signature:
31.10.2007 11:19:00 org.jcp.xml.dsig.internal.DigesterOutputStream write
FEINER: <Payload xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp></Payload>
The whole soap request:
<?xml version='1.0' encoding='utf-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-3596382">MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIGA1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGluZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBLbmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayvHO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2qxJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vaiZst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6fMqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupivlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-8331318"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#id-28000914"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Q2LregRFO//cXlkcThu9Bx0jal4=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#id-10464309"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>BX651XEWk4u4pGgshQhocYxPkSo=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Timestamp-7651652"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>ezisLn/pGWNqMHbT6UlHyM4Ez64=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Xl4SSEwrtyUnsqf8xOmfzojLLU18tOrikOhK+HRyqHqv0lPF+AqANLU6yygNdhbfI5qyef9BLr6I CmSPIX4QQR+Hq45l/Ewa+M2K1OOjqvBUGYyQqrKCqUFtsISr9xPudB8ZmaVfaUu5chjIvy/sPYYx TuYv2Ma6uEwek1YZpbE= </ds:SignatureValue> <ds:KeyInfo Id="KeyId-1823783"> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-17125267"><wsse:Reference URI="#CertId-3596382" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-7651652"><wsu:Created>2007-10-31T10:16:00.474Z</wsu:Created><wsu:Expires>2007-10-31T10:21:00.474Z</wsu:Expires></wsu:Timestamp></wsse:Security><TelematikHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-10464309"><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><ConversationID /><ServiceLocalization><Type>VSD</Type><Provider>101575519</Provider></ServiceLocalization><MessageType><Component>VSD</Component><Operation>PerformUpdates</Operation></MessageType><RoleDataProcessor /></TelematikHeader><TransportHeader xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><InterfaceVersion>0.0.24.3</InterfaceVersion></TransportHeader></soapenv:Header><soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-28000914"><TelematikExecute xmlns="http://ws.gematik.de/Schema/Telematik/Transport/V1"><Payload Id="c623c3be-529b-4d6d-8f1e-a4a29660f344"><Parameter Encoding="base64"><Name>VSD</Name><Value>PFBlcmZvcm1VcGRhdGVzIHhtbG5zPSJodHRwOi8vd3MuZ2VtYXRpay5kZS9jbS9jYy9DbUNjU2VydmljZVJlcXVlc3QvdjEuMiIgeG1sbnM6djE9Imh0dHA6Ly93cy5nZW1hdGlrLmRlL2NtL2NvbW1vbi9DbUNvbW1vbi92MS4yIj4NCiAgPHYxOkljY3NuPjgwMjc2MDAxMDQwMDAwMDMwMjI5PC92MTpJY2Nzbj4NCiAgPHYxOlVwZGF0ZUlkPjAxPC92MTpVcGRhdGVJZD4NCjwvUGVyZm9ybVVwZGF0ZXM+</Value></Parameter><MessageID>urn:uuid:9E0D31C48FDB63BBCD11938257462232</MessageID><Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><Created>UNDO</Created></Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#c623c3be-529b-4d6d-8f1e-a4a29660f344"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>XHIiHK4NYczByvAJSZH8u3hSvuQ=</DigestValue></Reference></SignedInfo><SignatureValue>JQnTQJ1TidrMuWmSmpHE3ZR5M728A3tlvKjrM3GxFPuy5YOmmybxR0T7xe72WSdWsqvFT9QGE+iP GL5POuc3s8lLc1QGZRKhZvjHAKFldDNyxAMWRL7ZXmhpjsRXT3HethKWew3669SKjJFkZ1IYEnZz QrJOmgt1MMjWx99CgaQ=</SignatureValue><KeyInfo><X509Data><X509SubjectName>CN=Harris Knafla,OU=IP,O=TK,ST=Hamburg,C=DE</X509SubjectName><X509Certificate>MIIC0DCCAjmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCREUxEDAOBgNVBAgT B0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxCzAJBgNVBAoTAlRLMQswCQYDVQQLEwJJUDEUMBIG A1UEAxMLTmlscyBLbmFmbGExKjAoBgkqhkiG9w0BCQEWG0RyLk5pbHMuS25hZmxhQHRrLW9ubGlu ZS5kZTAeFw0wNzA2MjkxNzQ2MzBaFw0wODA2MjgxNzQ2MzBaMFExCzAJBgNVBAYTAkRFMRAwDgYD VQQIEwdIYW1idXJnMQswCQYDVQQKEwJUSzELMAkGA1UECxMCSVAxFjAUBgNVBAMTDUhhcnJpcyBL bmFmbGEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMjAnKFGjXjbPbi4X1vnI/H7ArNfayv HO7+QbuV1FqIR+aZuAYZeR5v0s8NKyGOcMxscAQk59ZrdfqaaIiwtcXk2fNHphtSVqLqR4NLWO2q xJKXwBcAxIn7byjq/DqjiUr5nmw1cMWJtK1xwB6pVMvCv97KGg2Z8peronBxg6mVAgMBAAGjezB5 MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBRaMTzoUhWt1wguyvPlPuUUV8VRtTAfBgNVHSMEGDAWgBQuZ2A4G1XF+GvL7vai Zst6RUCqYjANBgkqhkiG9w0BAQUFAAOBgQAr3rtJIVNchr3pMEfFcSzbJJWo/c0LRkUnWkP1gD6f MqLoLFUbl8k6tKJ9V4P0Oe2BODRIfNyTFjKLzD1lHAFFRz9pzYUx+hq4VDWooA3MsewNDDyJwupi vlmHcM+Y8Cv97q9pERiqAY88TRMZxntl/b98W61KARAO+HUDhTnA1g==</X509Certificate></X509Data></KeyInfo></Signature></Payload></TelematikExecute></soapenv:Body></soapenv:Envelope>
As you can see in the soap request on top of the xml signature there is a Webservice Security signature (WSSE) over three elements. This should be no problem altough WSSE adds the wsu:id attribute to the body element. WSSE was omitted in step 1 for simplicity.
I wonder that the attributes which have been set to the payloadElement are not part of the actual message. But it works!
Step 3:
The same request was sent to an external webservice server and the server reports a xml signature verification problem. I don't have any logs or further information. But I have to get this to work against this server.
Java Files for Create + Verify Signature. For Create I get a DOM Node from a XML Bean. For step 1 the attribute setting should be in comments. I use VerifySignature for step 1 + 2.
SignPayload.java:
package de.tk.signature;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.apache.xmlbeans.XmlObject;
import de.tk.schemaTools.TkSchemaHandler;
import de.tk.util.ClientProperties;
public class SignPayload {
 public static void signDocument(XmlObject telematikExecuteXmlObject, String payloadId) {
 try {
 // get Document
 org.w3c.dom.Node node = telematikExecuteXmlObject.getDomNode();
 Document documentTo = node.getOwnerDocument();
 XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
 Reference ref = fac.newReference("#"+payloadId, fac.newDigestMethod(DigestMethod.SHA1, null), Collections.singletonList(fac
 .newTransform(Transform.ENVELOPED, (TransformParameterSpec) null)), null, null);
 // Create the SignedInfo.
 SignedInfo si = fac.newSignedInfo(fac.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null), fac.newSignatureMethod(SignatureMethod.RSA_SHA1, null),
 Collections.singletonList(ref));
 KeyStore keyStore = KeyStore.getInstance("JKS");
 String keyStoreFilename = ClientProperties.getKeystorefile();
 FileInputStream keyStoreFile = new FileInputStream(keyStoreFilename);
 keyStore.load(keyStoreFile, "storePwd".toCharArray());
 keyStoreFile.close();
 KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry("harris", new KeyStore.PasswordProtection("keyPwd".toCharArray()));
 X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
 // Create the KeyInfo containing the X509Data.
 KeyInfoFactory kif = fac.getKeyInfoFactory();
 List x509Content = new ArrayList();
 x509Content.add(cert.getSubjectX500Principal().getName());
 x509Content.add(cert);
 X509Data xd = kif.newX509Data(x509Content);
 KeyInfo ki = kif.newKeyInfo(Collections.singletonList(xd));
 Node payloadNode = new TkSchemaHandler().getNode(documentTo, "Payload");
 String prefix = payloadNode.getPrefix();
 NamedNodeMap nameNodeMap = payloadNode.getAttributes();
 // String baseUri = payloadNode.getBaseURI(); not implemented
 boolean attributes = payloadNode.hasAttributes();
 Element payloadElement = (Element) payloadNode;
 //xmlns is the prefix and first parameter the namespaceURI
 // xmlns existiert ohne WSSE, beim Create XMLOutputter ausgegeben
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://ws.gematik.de/Schema/Telematik/Transport/V1");
 // existiert ohne WSSE
 // bei Create nicht; aber bei Verify im DigestOutputter mit drin
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
 // existiert nur bei WSSE
 payloadElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
 Node timestampNode = new TkSchemaHandler().getNode(documentTo, "Timestamp");
 Element timestampElement = (Element) timestampNode;
 // existiert ohne WSSE
 // beim Create Outputter angegeben sowie beim Verify
 timestampElement.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
 // existiert nur bei WSSE, war wohl nur notwendig da bei WSSE Signature auf falschen Timestamp zugegriffen worden ist.
 // Create a DOMSignContext and specify the RSA PrivateKey and
 // location of the resulting XMLSignature's parent element.
 DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),payloadNode);
 // Create the XMLSignature, but don't sign it yet.
 XMLSignature signature = fac.newXMLSignature(si, ki);
 // DomInfo.visualize(document);
 SAXBuilderDemo2.print(documentTo);
 // Marshal, generate, and sign the enveloped signature.
 signature.sign(dsc);
 } catch (Exception exc) {
 throw new RuntimeException(exc.getMessage());
VerifySignature.java:
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class VerifySignature {
 * @param args
 public static void main(String[] args) {
 // TODO Auto-generated method stub
 try {
 String filename = args[0];
 System.out.println("Verify Document: " + filename);
 XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 dbf.setNamespaceAware(true);
 Document doc = dbf
 .newDocumentBuilder()
 .parse(
 new FileInputStream(filename));
// Find Signature element.
// NodeList nl =
// doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
 Node node = TkSchemaHandler.getNode(doc,"/*[local-name()='Envelope' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*[local-name()='Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/'][1]/*[local-name()='TelematikExecute' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Payload' and namespace-uri()='http://ws.gematik.de/Schema/Telematik/Transport/V1'][1]/*[local-name()='Signature' and namespace-uri()='http://www.w3.org/2000/09/xmldsig#'][1]");
 if (nl.getLength() == 0) {
 throw new Exception("Cannot find Signature element");
 Node node = nl.item(0); */
// Create a DOMValidateContext and specify a KeySelector
// and document context.
 DOMValidateContext valContext = new DOMValidateContext
 (new X509KeySelector(), node);
// Unmarshal the XMLSignature.
 XMLSignature signature = fac.unmarshalXMLSignature(valContext);
// Validate the XMLSignature.
 boolean coreValidity = signature.validate(valContext);
 // sample 6
// Check core validation status.
 if (coreValidity == false) {
 System.err.println("Signature failed core validation");
 boolean sv = signature.getSignatureValue().validate(valContext);
 System.out.println("signature validation status: " + sv);
 if (sv == false) {
 // Check the validation status of each Reference.
 Iterator i = signature.getSignedInfo().getReferences().iterator();
 for (int j=0; i.hasNext(); j++) {
 boolean refValid = ((Reference) i.next()).validate(valContext);
 System.out.println("ref["+j+"] validity status: " + refValid);
 } else {
 System.out.println("OK! Signature passed core validation!");
 } catch (Exception exc) {
 exc.printStackTrace();
Questions:
1. Do I really have to set all the namespace attributes? I thought with exclusive xml this should not be necessary. Is there any other solution?
2. Do you think I got all the settings right in SignPayload.java?
Thanks a lot in advance.
Cheers !
Nils

It seems to be a bug with the JDK you are using. What is the JDK version you are using?

Bad PGP/GPG signatures for all Win32 Mozilla firefox partial.mar files

I checked the .asc signature for the Mozilla 12.0 update firefox-11.0-12.0.partial.mar and came up with:
Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2
BAD signature from "Mozilla Software Releases <[email protected]>"
The MD5, SHA1 and SHA512 checksums come back OK.

An interesting interpretation of the facts...
Cygwin, an OpenSource project of Red Hat Inc., (available at http://cygwin.com) is:
• a collection of tools which provide a Linux look and feel environment for Windows.
• a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality.
Now, using these tools, specifically the ''rsync'' tool (which uses the rsync TCP/IP protocol), I downloaded the update MAR file from the OFFICIAL site using the Rsync address:
rsync://releases-rsync.mozilla.org::mozilla-releases/firefox/releases/12.0/update/win32/en-US/firefox*.mar*
(This is equivalent to: http://releases.mozilla.org/pub/mozilla.org/firefox/releases/12.0/update/win32/en-US/)
This retrieved:
firefox-11.0-12.0.partial.mar 
firefox-11.0-12.0.partial.mar.asc 
firefox-12.0.complete.mar 
firefox-12.0.complete.mar.asc 
The '''''.asc''''' extension is short for ASCII (alternatively, this could be, by convention, '''''.sig''''',) and contains the digital signature generated using the "Mozilla Software Releases" PGP'/GPG key, DSA key ID C52175E2. '''''PGP'''''/'''''GPG''''' are authentication tools that use the RSA encryption algorithm to generate digital signatures that guarantee the veracity of a file or message. The signature for firefox-11.0-12.0.partial.mar does NOT verify. The output of GPG is:
+ gpg --verify firefox-11.0-12.0.partial.mar.asc firefox-11.0-12.0.partial.mar 
... 
gpg: Signature made Fri, Apr 20, 2012 21:24:01 EDT using DSA key ID C52175E2 
gpg: BAD signature from "Mozilla Software Releases " 
Official MD5, SHA1 and SHA512 checksums are also available for this file and its signature. They DO verify properly. For example:
+ md5sum -c .md5sum (.md5sum is extracted from MD5SUMS) 
... 
update/win32/en-US/firefox-12.0.complete.mar: OK 
update/win32/en-US/firefox-12.0.complete.mar.asc: OK 
update/win32/en-US/firefox-11.0-12.0.partial.mar: OK 
update/win32/en-US/firefox-11.0-12.0.partial.mar.asc: OK 
Would someone, please, check why a bad PGP/GPG signature for this file is being distributed? All the Mozilla12.0 partial.mar signatures I've checked (en-{GB,US,ZA}, zh-{CN,TW}) are bad.

This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this a valid Windows Installer package"

I'm unable to install Itunes on my new PC. I'm logged in as the administrator And have deleted my browsing history. This is the error I get, ITunes installation error- “This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this a valid Windows Installer package”... Any suggestions how to fix?

Hi
Try the following:
Uninstall iTunes and Quicktime
Reboot
in the task tray right click the quicktime icon and click exit.
navigate to the folder in program files and remove the quicktime directory and all its files.
Reboot.
Now try install iTunes and quicktime and it should work
Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I cant install java or itunes installation package could not be opened verify that the package exists and that you can access it or contact the application vendor to verify that this is a valid Windows package installler

installation package could not be opened verify that the package exists and that you can access it or contact the application vendor to verify that this is a valid Windows package installler what can i do ? help me

Hi,
Firstly make sure you save it to your hard disk, and then run setup from there.
If it doesn't help, you may also try to unregister Windows Installer, and then reregister Windows Installer and check if it helps. To do this, follow these steps:
1. Press Windows Key + R
2. In the "run" box, type "msiexec /unreg", and then press ENTER.
3. Press Windows Key + R
4. In the "run" box, type "msiexec /regserver", and then press ENTER.
Besides that, You could try to create a new user to download and install the application.
Karen Hu
TechNet Community Support

Receive message when downloading ITunes or Safari for Windows 7 64 Bit. "Installation package could not be opened. Verify package exists or contact application vendor to verify this is a valid Windows Installer package."

Received message when trying to install Itunes or Safari for Windows. " Installation package could not be opened. Verify package exists or contact application vendor to verify this is a valid Windows Installer package".

I to am having the same issue. I have a admin account and logged into it as well and still have the same message pop up. Contacted live support the woman i spoke with had to send it up higher. We went through every thing including her trying (taking over as a host on my laptop) still have not bee contacted this June will be a year that i have heard nothing from them sine She di everything she could and pushed it up higher.

On windows 8 adobe touch reader, where do i get options to validate/verify digital signatures in pdf?

i have windows 8 OS in my laptop, i need to verify digital signatures present in my pdf. the steps to verify/validate them are-
1. Open the PDF file in PDF Reader.
2. Left-click on the Digital Signature field.
3. Click "Verify/Validate Signature".
4. Click "Signature Properties".
5. Click "Validate Signature or Verify Identity".
6. Add "Contact information for certificate owner:"
7. Click "Add to List".
8. Click "Close".
but i cannot find such options in adobe touch reader.
please help to verify the digital signatures.
thank you

Unfotunately, this functionality is not supported in current version of Adobe Reader Touch. But, we have noted down your feature request and we might consider it for our future releases.

How to Verify digital signature in ABAP web dynpro enviroment

Hi,
I have few questions regarding, how we can Verify digital signature in ABAP WebDynpro ?
Do we have class or function modules to verify digital signature on WAS once signed offline or online interactive form is uploaded back?
can we use function modules in function group SSFG for validating authors signature? Or any other classes or interfaces are available in NetWeaver environment.
I searched to find any sample for validating signatures in ABAP WebDynpro, however I could not find any thing. Any sample code will be very useful?
Thanks,
Nitesh Shelar.

I Found that Interface IF_FP_PDF_OBJECT can be used to extract signatures from document.
Thanks,
Nitesh Shelar.

Failed to verify Authenticode signature on DLL msxmlsql.dll

Hello, I got this error message. The server is experiencing issue of service broker suddenly stopping, so we are ruling out all errors at this point. Server is setup with HADR.
Win Server 2008 R2 Ent SP1
SQL 2012 11.0.3349 Ent
Log Name: Application
Source: MSSQL$SQL01
Date: 4/18/2013 7:17:26 AM
Event ID: 33081
Task Category: Server
Level: Information
Keywords: Classic
User: N/A
Computer: SQL01.xxxxxx.xxx
Description:
Failed to verify Authenticode signature on DLL 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll'.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="MSSQL$SQL01" />
 <EventID Qualifiers="16384">33081</EventID>
 <Level>4</Level>
 <Task>2</Task>
 <Keywords>0x80000000000000</Keywords>
 <TimeCreated SystemTime="2013-04-18T11:17:26.000000000Z" />
 <EventRecordID>28935</EventRecordID>
 <Channel>Application</Channel>
 <Computer>SQL01.xxxxxx.xxx</Computer>
 <Security />
</System>
<EventData>
 <Data>C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll</Data>
 <Binary>398100000A0000000F000000500052004F004400530051004C0031005C0043004F00530051004C000000040000004F006E0065000000</Binary>
</EventData>
</Event>
Thanks.

Hi ASR,
Have you found C:\Program Files\Microsoft SQL Server\MSSQL11.SQL01\MSSQL\Binn\msxmlsql.dll? I think msxmlsql.dll is in the C:\Program Files\Microsoft SQL Server\110\Shared. Please check it. You could try to Copying msxmlsql.dll to the Binn folder to see
if it would be OK.
Or you could try to repair the SQL Server through SQL Server Installation Center.
Thanks.
If you have any feedback on our support, please click
here.
Maggie Luo
TechNet Community Support

Verifying detached signature

Hi,
Im trying to verify the PKCS& detached signature.. Verification is working fine. But if i try to alter or delete certian characters in my signature file its still saying verification success can anybody have a look at this code and help me to sort out this issue. Is there any other way with which i can verify the signature.
Here is the code:
import java.security.Security;
import java.io.*;
import org.bouncycastle.jce.PKCS7SignedData;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.util.Arrays;
import java.util.*;
import java.text.SimpleDateFormat;
import java.util.Iterator;
import java.util.List;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.io.FileInputStream;
import javax.security.auth.x500.X500Principal;
import java.lang.*;
import java.io.PrintWriter;
import java.security.cert.*;
import java.util.Vector;
import java.lang.*;
import java.io.IOException;
import java.util.Collection;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
class VerifyP7s {
public static void main(String args[]) {
if (args.length < 2)
usage();
//Plug the Provider into the JCA/JCE
Security.addProvider(new BouncyCastleProvider());
FileInputStream freader = null;
//------ Get the content data from file -------------
File f = new File(args[1]) ;
int sizecontent = ((int) f.length());
byte[] bytes = new byte[sizecontent];
try {
freader = new FileInputStream(f);
System.out.print("\nContent Bytes: " + freader.read(bytes, 0, sizecontent));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
//------ Get the pkcs #7 data from file -------
File p7s = new File(args[0]) ;
int size = ((int) p7s.length());
byte[] bytessig = new byte[size];
try {
freader = new FileInputStream(p7s);
System.out.println(" PKCS#7 bytes: " + freader.read(bytessig, 0, size));
freader.close();
catch(IOException ioe) {
System.out.println(ioe.toString());
return;
// --- Use Bouncy Castle provider to attempt verification of p7s ---
if(isBase64Encoded(bytessig)){
System.out.println("Signature file is BASE64 encoded") ;
try{
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder() ;
byte[] bdecoded = dec.decodeBuffer(new String(bytessig));
if (isVerified(bdecoded, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as BASE64-encoded DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
catch(Exception exc) {
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
return;
else { //if NOT base64 encoded
if (isVerified(bytessig, bytes))
System.out.println("Verified pkcs#7 data: \"" + args[0] + "\" as binary DER file\n" +
"against content file \"" + args[1] + "\"") ;
else
System.out.println("Failed to verify " + args[0] + " as valid pkcs#7 detached signature.");
private static byte[] toUnicode(byte[] bytes) {
byte[] ucbytes = new byte[2*bytes.length];
for (int j = 0; j< bytes.length; j++) {
ucbytes[2*j] = bytes[j];
ucbytes[2*j+1] = 0x00; //null byte for UNICODE encoding
return ucbytes;
private static final boolean isVerified(byte[] sig, byte[] content) {
try{
PKCS7SignedData pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(content, 0, content.length); // Update checksum
boolean verified = pkcs7.verify(); // Does it add up?
if(!verified) { //see if original data was UNICODE byte encoding
//System.out.println("Original byte content not verified.\nTrying UNICODE encoding ...");
pkcs7 = new PKCS7SignedData(sig);
pkcs7.update(toUnicode(content), 0, 2*content.length);
verified = pkcs7.verify();
if(verified){
System.out.println("\nUNICODE-encoding of signed content was verified.");
return true;
else
//System.out.println("\nCould NOT verify signed detached content");
return false;
else
System.out.println("ANSI-encoding of signed content was verified.");
return true ;
catch(java.security.cert.CRLException crle) {
//System.out.println("crl " + crle.toString());
return false;
catch(java.security.SignatureException sigex) {
//System.out.println("sigexcept " + sigex.toString());
return false;
catch(Exception secex) {
//System.out.println("other exception " + secex.toString());
return false;
private static final boolean isBase64Encoded(byte[] data) {
Arrays.sort(Base64Map);
for (int i=0; i<data.length; i++){
//System.out.println("data[" + i + "] " + (char)data) ;
if( Arrays.binarySearch(Base64Map, (char)data)<0
&& !Character.isWhitespace((char)data) )
return false;
return true;
public String printX509Cert(X509Certificate cert){
try{
String discrt = cert.getPublicKey().toString();
return discrt;
catch(Exception exception)
System.err.println("Exception is: "+exception.getMessage());
String ex = exception.getMessage();
return ex;
private static char[] Base64Map =
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/', '='
private static void usage() {
System.out.println("Usage:\n java VerifyP7s <pkcs #7 signature file> <contentfile> ") ;
System.exit(1);
Here is my signature file:
MIIEoAYJKoZIhvcNAQcCoIIEkTCCBI0CAQExDjAMBggqhkiG9w0CBQUAMAsGCSqGSIb3DQEHAaCC
A3kwggN1MIICXaADAgECAhBjffJNbUvAx4VWV4qkdNLGMA0GCSqGSIb3DQEBBAUAMDExETAPBgNV
BAoTCFNJRlkgTHRkMRwwGgYDVQQDExNTSUZZIEx0ZCBQcml2YXRlIENBMB4XDTA0MDcyNjAwMDAw
MFoXDTA1MDcyNjIzNTk1OVowgZwxETAPBgNVBAoUCFNJRlkgTHRkMSIwIAYDVQQLFBlIdW1hbiBS
ZXNvdXJjZSBEZXBhcnRtZW50MRswGQYDVQQLFBJFbXBsb3llZUlEIC0gU0YwNjcxGzAZBgNVBAMT
ElN1ZGVlcCBLdW1hciBQLiBLLjEpMCcGCSqGSIb3DQEJARYac3VkZWVwa3VtYXJAc2FmZXNjcnlw
dC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANGOpSIhZEDQ5Z6cxLMpZssi5WWdD0h7
kFWkbXPQk842HqCBFPcClUUWWeT/LJ10VCC9Ff0KrI5lviGl9umnVW+LeCYiI/ksnea/p7tKfOgN
NO+UBoJ4PE5XnUEq03CFWdHhGNfukNqWZiMC+bUX8e6+blFU/6ipUtHmIkIrlNZBAgMBAAGjgaAw
gZ0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgeAMF0GA1UdHwRWMFQw
UqBQoE6GTGh0dHA6Ly9vbnNpdGVjcmwuc2FmZXNjcnlwdC5jb20vU0lGWUx0ZEh1bWFuUmVzb3Vy
Y2VEZXBhcnRtZW50L0xhdGVzdENSTC5jcmwwEQYKYIZIAYb4RQEGCQQDAQH/MA0GCSqGSIb3DQEB
BAUAA4IBAQBpFEGmTHOSfA/SkeC/bvZE3sYpBU0+RG8iSm+DTbP5tiCyWT+L0AidTWDk0ZuXz7yA
eF9NR0OZyxp3/v+OQYn3Q0a1awe+JKnDCD+zayehcPbvD+q79WYHO5Ibm5UA2VnGoBbV3CDhj1qC
lCyqllEKVWk11iB6wu24PzB31uARxkar3cynFNX4P6nxy6vb83W/Wnt8eOMQHI2SiVvJtjU5SwL6
ILrkZfrm7NLcCQY2w7w4/WeFgeb2Ko8hYHSRyvJWwBUyv2ExDGnv0eqHJn6HC+4IE8wzirWre0jY
Y0529u3MfIL0F7lrkuwYnpVa3zE/b2HwCaMrN+TuY/oNkf2YMYHtMIHqAgEBMEUwMTERMA8GA1UE
ChMIU0lGWSBMdGQxHDAaBgNVBAMTE1NJRlkgTHRkIFByaXZhdGUgQ0ECEGN98k1tS8DHhVZXiqR0
0sYwDAYIKoZIhvcNAgUFADANBgkqhkiG9w0BAQEFAASBgDUpkV5Zpi781vTmtydAdOVJ7cecnQ9v
8fdTZwMgz56Q3ZI0pj6+60e8lIafO3mo596eCF2mBsZm2wEO1PhnXPKAQFXWIseDp0GVdmwTp1tH
M2e9fC2bOppNhBKkpZAr26PE6/BIDittE1rM8nJOa+9lzJcDCBBpJM3MdlHjY+8v
My Content file is:
<table width=100%><TR align=center><TH COLSPAN=3>Transfer Funds Request</TH></TR><TR><TD ALIGN=RIGHT>TRANSFER FROM</TD><TD>..........</TD><TD>Money Market</TD></TR><TR><TD ALIGN=RIGHT>TRANSFER TO</TD><TD>..........</TD><TD>Cash</TD></TR><TR><TD ALIGN=RIGHT>AMOUNT</TD><TD>..........</TD><TD>/ \ & \n</TD></TR></table> I am authorizing the transfer of the above funds by digitally signing this request.
Thanx in advance.

Your PKCS#7 signature file is dumped by DUMPASN1 as follows:
The verifying code only checks the public key against the data.
If you change some byte of the PKCS#7 data that can "blow up" the ASN.1 structures, you cannot get the public key, so the data would not be verified OK.
But if you change some other byte in the PKCS#7 signature data, it could change some things that are not important to ASN.1 Parsing, like changing 'Human Resource Department' to 'Departamentos de Recursos' that is a string with the same length. So as you don't changed the Public key bytes it's all OK.
If you are concerned about PKCS#7 signature file modification, you can try verifying the signer certificates inside - an additional step, but not difficult to do.
 0 30 1184: SEQUENCE {
 4 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 A0 1169: [0] {
19 30 1165: SEQUENCE {
23 02 1: INTEGER 1
26 31 14: SET {
28 30 12: SEQUENCE {
30 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
40 05 0: NULL
42 30 11: SEQUENCE {
44 06 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
55 A0 889: [0] {
59 30 885: SEQUENCE {
63 30 605: SEQUENCE {
67 A0 3: [0] {
69 02 1: INTEGER 2
72 02 16: INTEGER
 : 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
90 30 13: SEQUENCE {
92 06 9: OBJECT IDENTIFIER
 : md5withRSAEncryption (1 2 840 113549 1 1 4)
103 05 0: NULL
105 30 49: SEQUENCE {
107 31 17: SET {
109 30 15: SEQUENCE {
111 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
116 13 8: PrintableString 'SIFY Ltd'
126 31 28: SET {
128 30 26: SEQUENCE {
130 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
135 13 19: PrintableString 'SIFY Ltd Private CA'
156 30 30: SEQUENCE {
158 17 13: UTCTime 26/07/2004 00:00:00 GMT
173 17 13: UTCTime 26/07/2005 23:59:59 GMT
188 30 156: SEQUENCE {
191 31 17: SET {
193 30 15: SEQUENCE {
195 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
200 14 8: TeletexString 'SIFY Ltd'
210 31 34: SET {
212 30 32: SEQUENCE {
214 06 3: OBJECT IDENTIFIER
 : organizationalUnitName (2 5 4 11)
219 14 25: TeletexString 'Human Resource Department'
246 31 27: SET {
248 30 25: SEQUENCE {
250 06 3: OBJECT IDENTIFIER
 : organizationalUnitName (2 5 4 11)
255 14 18: TeletexString 'EmployeeID - SF067'
275 31 27: SET {
277 30 25: SEQUENCE {
279 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
284 13 18: PrintableString 'Sudeep Kumar P. K.'
304 31 41: SET {
306 30 39: SEQUENCE {
308 06 9: OBJECT IDENTIFIER
 : emailAddress (1 2 840 113549 1 9 1)
319 16 26: IA5String '[email protected]'
347 30 159: SEQUENCE {
350 30 13: SEQUENCE {
352 06 9: OBJECT IDENTIFIER
 : rsaEncryption (1 2 840 113549 1 1 1)
363 05 0: NULL
365 03 141: BIT STRING, encapsulates {
369 30 137: SEQUENCE {
372 02 129: INTEGER
 : 00 D1 8E A5 22 21 64 40 D0 E5 9E 9C C4 B3 29 66
 : CB 22 E5 65 9D 0F 48 7B 90 55 A4 6D 73 D0 93 CE
 : 36 1E A0 81 14 F7 02 95 45 16 59 E4 FF 2C 9D 74
 : 54 20 BD 15 FD 0A AC 8E 65 BE 21 A5 F6 E9 A7 55
 : 6F 8B 78 26 22 23 F9 2C 9D E6 BF A7 BB 4A 7C E8
 : 0D 34 EF 94 06 82 78 3C 4E 57 9D 41 2A D3 70 85
 : 59 D1 E1 18 D7 EE 90 DA 96 66 23 02 F9 B5 17 F1
 : EE BE 6E 51 54 FF A8 A9 52 D1 E6 22 42 2B 94 D6
 : [ Another 1 bytes skipped ]
504 02 3: INTEGER 65537
509 A3 160: [3] {
512 30 157: SEQUENCE {
515 30 9: SEQUENCE {
517 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
522 04 2: OCTET STRING, encapsulates {
524 30 0: SEQUENCE {}
526 30 11: SEQUENCE {
528 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
533 04 4: OCTET STRING, encapsulates {
535 03 2: BIT STRING 5 unused bits
 : '101'B
539 30 17: SEQUENCE {
541 06 9: OBJECT IDENTIFIER
 : netscape-cert-type (2 16 840 1 113730 1 1)
552 04 4: OCTET STRING, encapsulates {
554 03 2: BIT STRING 7 unused bits
 : '1'B (bit 0)
558 30 93: SEQUENCE {
560 06 3: OBJECT IDENTIFIER
 : cRLDistributionPoints (2 5 29 31)
565 04 86: OCTET STRING, encapsulates {
567 30 84: SEQUENCE {
569 30 82: SEQUENCE {
571 A0 80: [0] {
573 A0 78: [0] {
575 86 76: [6]
 : 'http://onsitecrl.safescrypt.com/SIFYLtdHumanReso'
 : 'urceDepartment/LatestCRL.crl'
653 30 17: SEQUENCE {
655 06 10: OBJECT IDENTIFIER '2 16 840 1 113733 1 6 9'
667 04 3: OCTET STRING, encapsulates {
669 01 1: BOOLEAN TRUE
672 30 13: SEQUENCE {
674 06 9: OBJECT IDENTIFIER
 : md5withRSAEncryption (1 2 840 113549 1 1 4)
685 05 0: NULL
687 03 257: BIT STRING
 : 69 14 41 A6 4C 73 92 7C 0F D2 91 E0 BF 6E F6 44
 : DE C6 29 05 4D 3E 44 6F 22 4A 6F 83 4D B3 F9 B6
 : 20 B2 59 3F 8B D0 08 9D 4D 60 E4 D1 9B 97 CF BC
 : 80 78 5F 4D 47 43 99 CB 1A 77 FE FF 8E 41 89 F7
 : 43 46 B5 6B 07 BE 24 A9 C3 08 3F B3 6B 27 A1 70
 : F6 EF 0F EA BB F5 66 07 3B 92 1B 9B 95 00 D9 59
 : C6 A0 16 D5 DC 20 E1 8F 5A 82 94 2C AA 96 51 0A
 : 55 69 35 D6 20 7A C2 ED B8 3F 30 77 D6 E0 11 C6
 : [ Another 128 bytes skipped ]
948 31 237: SET {
951 30 234: SEQUENCE {
954 02 1: INTEGER 1
957 30 69: SEQUENCE {
959 30 49: SEQUENCE {
961 31 17: SET {
963 30 15: SEQUENCE {
965 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
970 13 8: PrintableString 'SIFY Ltd'
980 31 28: SET {
982 30 26: SEQUENCE {
984 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
989 13 19: PrintableString 'SIFY Ltd Private CA'
1010 02 16: INTEGER
 : 63 7D F2 4D 6D 4B C0 C7 85 56 57 8A A4 74 D2 C6
1028 30 12: SEQUENCE {
1030 06 8: OBJECT IDENTIFIER md5 (1 2 840 113549 2 5)
1040 05 0: NULL
1042 30 13: SEQUENCE {
1044 06 9: OBJECT IDENTIFIER
 : rsaEncryption (1 2 840 113549 1 1 1)
1055 05 0: NULL
1057 04 128: OCTET STRING
 : 35 29 91 5E 59 A6 2E FC D6 F4 E6 B7 27 40 74 E5
 : 49 ED C7 9C 9D 0F 6F F1 F7 53 67 03 20 CF 9E 90
 : DD 92 34 A6 3E BE EB 47 BC 94 86 9F 3B 79 A8 E7
 : DE 9E 08 5D A6 06 C6 66 DB 01 0E D4 F8 67 5C F2
 : 80 40 55 D6 22 C7 83 A7 41 95 76 6C 13 A7 5B 47
 : 33 67 BD 7C 2D 9B 3A 9A 4D 84 12 A4 A5 90 2B DB
 : A3 C4 EB F0 48 0E 2B 6D 13 5A CC F2 72 4E 6B EF
 : 65 CC 97 03 08 10 69 24 CD CC 76 51 E3 63 EF 2F
 : }

Verify digital signature mobile 5.0

i have a jad file d2link and i get this error msg [unable to verify digital signature ] can any one help its on a 8525 phone with wm5 on it with the java program 6.1 i have downloaded opera it seem to work fine plus the golf tracker and gmail and them seem to work fine or is there any way to bypass this or add something to make it work
Message was edited by:
[email protected]

Hi, I was wondering if you solved already the digital signature verifying error on the MDA.
I am also trying to install something on my MDA and I get the error message "Unable to verify the digital signature"!
I am desperate because I really dont know where the problem is!!!
I would really appreciate if you could give me any hint!
Thank you so much in advance.
Clara Fdz

Verify SHA1withRSA signature

I have to verify the signature of files, the signature is included in an XML file generated throw C# .Net.
The public key is also extracted from the XML file. Every time I want to verify a file it returns false, I'd like to know if my code is correct or not :
Certificate cer = null;
XMLCertificateExtraction extractor = XMLCertificateExtraction.getInstance( luxtrust.Configuration.getInstance(args) );
String str = "d:\\projet_LUX_TRUST\\svn\\luxtrust.trunk
full_middleware_packages.xml";
cer = extractor.extractFromID( str );
else try{
 /* input the signature bytes */*
* String __signature = "wIeY0g1MdbFDVsEjqfK2YGsvRfVgtofcvwmzQP6l8ZCMuud0t95GmywqT5BTPVrRWkbwzp7GzJIkaD9u629XQfz4i2q+Hfmmn8+cj+zwvXWCfG9Y+l/dL9lwcFwr6pfpnFsSucrxZTKKDA11vNerMtP7P5wC5XMyhMtI48MDBm09tsaNntr1LeJkH9FRXSbGzqStv7MAnBYQLYYPT83PBs0rnu1Kz0LRUJhxEe5EfmXeUMtkeaChzdgJCkr/eueOH/Gt1pdtOU8kl96cJSE4bmQfO+1r8uXgOpenzrw3yvMTSHqlVEIg9uttZN/QNHPpylQYpEwax2sfZN7Okxe4IA==";*
* /* create a Signature object and initialize it with the public key */
 Signature sig = Signature.getInstance("SHA1withRSA");
 sig.initVerify(cer.getPublicKey());
 FileInputStream datafis = new FileInputStream(args[0]);
 BufferedInputStream bufin = new BufferedInputStream(datafis);
 byte[] buffer = new byte[1024];
 int len;
 while (bufin.available() != 0) {
 len = bufin.read(buffer);
 sig.update(buffer, 0, len);
 bufin.close();
 boolean verifies = sig.verify(__signature.getBytes());
 System.out.println("signature verifies: " + verifies);

I still didn't achieve the signature verification.
I had a doubt about the signature validity so I've done the following steps.
I took my pkcs#12 file, I used openssl to retrieve the private key, I than generated a certificate and a public key.
I've signed a binary file using the generated private key , and than went to java and tried to verify the signature without sucess.
While :
$ openssl dgst -sha1 -verify x509lx.crt.pub -signature signature.sig install_sdc.exe
Verified OKI used this code to verify the signature against the openssl generated siganture:
File pubKeyFile = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\keys\\openssl\\x509lx.crt");
 File sigFile = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\keys\\openssl\\signature.sig");
 File fileToSign = new File(
 "D:\\projet_LUX_TRUST\\svn\\luxtrust.trunk\\install_sdc.exe");
 java.security.cert.Certificate certLX = importCertificate(pubKeyFile);
 Signature rsa = Signature.getInstance("SHA1withRSA");
 /* Initializing signature verification */
 rsa.initVerify(certLX.getPublicKey());
 FileInputStream datafis = new FileInputStream(fileToSign);
 BufferedInputStream bufin = new BufferedInputStream(datafis);
 byte[] buffer = new byte[1024];
 int len = 0;
 while (bufin.read(buffer) != -1) {
 rsa.update(buffer, 0, len);
 bufin.close();
 boolean verifies = rsa.verify(getBytesFromFile(sigFile));
 System.out.println("2..signature = " + getBytesFromFile(sigFile));
 System.out.println("2..signature verifies: " + verifies);
 return true;
public static java.security.cert.Certificate importCertificate(File file) {
 try {
 FileInputStream is = new FileInputStream(file);
 CertificateFactory cf = CertificateFactory.getInstance("X.509");
 java.security.cert.Certificate cert = cf.generateCertificate(is);
 return cert;
 } catch (CertificateException e) {
 } catch (IOException e) {
 return null;
private static byte[] getBytesFromFile(File file) throws IOException {
 InputStream is = new FileInputStream(file);
 System.out.println("\nDEBUG: FileInputStream is " + file);
 // Get the size of the file
 long length = file.length();
 System.out.println("DEBUG: Length of " + file + " is " + length + "\n");
 * You cannot create an array using a long type. It needs to be an int
 * type. Before converting to an int type, check to ensure that file is
 * not loarger than Integer.MAX_VALUE;
 if (length > Integer.MAX_VALUE) {
 System.out.println("File is too large to process");
 return null;
 // Create the byte array to hold the data
 byte[] bytes = new byte[(int)length];
 // Read in the bytes
 int offset = 0;
 int numRead = 0;
 while ( (offset < bytes.length)
 ( (numRead=is.read(bytes, offset, bytes.length-offset)) >= 0) ) {
 offset += numRead;
 // Ensure all the bytes have been read in
 if (offset < bytes.length) {
 throw new IOException("Could not completely read file " + file.getName());
 is.close();
 return bytes;
 }What's wrong in my code or in my comprehension of RSA SHA1 usage ?

Easiest way to update -git packages?

Hello!
I have installed the Dolphin emulator from dolphin-emu-git with yaourt -S and I have noticed that by running yaourt -Syua, it doesn't update Dolphin, even though there is a never version available.
Do I always have to re-install -git packages with yaourt -S to get the latest version? If so, is there any way for me to get noticed when there is a new version out? Or do I have to manually have to check now and then?
Thanks!

--devel will rebuild VCS packages.
As far as notification, every upstream commit is an update. You can set something up to get notifications there.
Last edited by Scimmia (2015-05-18 15:40:12)

Unable to verify message signature

1 - I am using Lion and some emails come with a signature and it appears a message on top of the message saying:
"Unable to verify message signature" (here in attach). What should i do?
2 - I would like to use digital signature for my emails. What companies wirks with Digital Signatures for OS X v10.7 Lion ?
Thank You,
Paulo Guedes

There is another picture related with this problem

-git packages

Is there an inheret difference between '-git' and non-git packages?
I've read the archwiki written on it, but failed to sufficiently encompass its precise or logical relevance to makepkg~ing PKGBUILDS, as it is described as a version control manager.
I should make mention of the fact that I have never created an installable pkg.tar.gz '-git package' before.

edward.taylor89 wrote:Spelling correction for the first line: 'inherent'
There's an edit button.

Verifying GPG signatures of commits in *-git packages

Similar Messages

Maybe you are looking for