Tips

  • When signing a document to be sent via email or some other text-based mechanism, consider using the output option --base64EncodeOutput. This will Base64 encode the signed document, which will eliminate errors caused by unintentional XML reformatting (the most common cause of signature problems).

  • Be wary of XML attributes with default values defined in the document schema (such as the regexp XML attribute on the Shibboleth <Scope> extension element). If such an attribute is omitted from an otherwise schema-valid XML document, this may result in verification failures for verifiers that perform schema validation. To mitigate this issue, ensure that all such attributes have explicit values in the document to be signed.

  • If you need to sign or verify very large XML documents, it is possible that the default settings will not allow Java to allocate enough heap to perform the operation. In this case, you can add an explicit setting for the maximum Java heap size like this:

JVMOPTS="-Xmx1.5G" ...xmlsectool --sign ...