Apparently, the embedded certificate takes precedence over the one specified in the command line! Since I am new to concepts related to xml signing, there may be something I'm overlooking here, but if my analysis is correct, this is a serious issue as users would be misled into thinking that roguemetadata.xml is signed by signer_bundle.pem while it is not.
Read the xml digital signature spec :) Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
