John Keeping wrote on 2009-06-19: > I'm working on a product which needs to resign documents after modifying > them and in some cases this involves removing references from the > signature (for example if the referenced element has been deleted). > > It seems that just removing a reference from a DSIGSignature object is > not sufficient to do this, as the XML Reference element is still in the > document (although it is not updated).
That seems like a fundamental problem that has to be fixed systemically. I'm not sure if the library in general supports resigning at all, so that may be the problem. Is there reason to think that resigning would work if the DOM manipulation was being done? Did you try that by hand and get it to work? > Am I correct in thinking that there is no way to extract information > from a DSIGReference to match it back to the document other than walking > the tree from the signature node looking for it? If so, do you think it > would be possible to add an accessor to DSIGReference for the > mp_referenceNode field? I don't think that's elegant unless all the DOMs are exposed (which is an option), but more importantly my question would be what you would do with it. I don't know that it would be safe to only remove that specific node and then re-sign. Might be, I guess. Anyway, I guess my point here is that the fix should be universal across the APIs, and if mutation is both broken and feasible, that should probably be fixed. I know in my case, I use an abstraction layer that's responsible for creating the Reference List, and if I make changes, I drop the signature object entirely and recreate it via that abstraction. That's probably why I never noticed it. -- Scott
