CryptoSys Home > FirmaSAT > Troubleshooting > Why is my signature not valid?

Why is my signature not valid?

Why is my signature not valid?
Why does the SignXml function fail in my program?

Some possible reasons

Using old version of FirmaSAT. The latest version is .
Base XML file is invalid XML.
NoCertificado value does not match serial number in X.509 certificate (error -106, CERT_NUM_ERROR).
Using wrong key or certificate file.
Post processing of XML after signing adds extra whitespace characters, or otherwise corrupts the data.
Using deprecated signing options (e.g. digest algorithm SAT_HASH_SHA1 or HashAlgorithm.Sha1).

Troubleshooting Procedure

If you have a file that does not validate elsewhere, please submit it to our Validator page. If that does not help, or if your SignXML function is not working, then continue...

Please follow these troubleshooting steps before asking us for any support.

Set up a clean test directory

Create a new, empty directory. In this example we make C:\Scratch\test1.
```
> mkdir C:\Scratch\test1
> cd C:\Scratch\test1
```
Copy your base XML file to this directory (base = your XML file before signing).
Copy your signing key file and certificate file to this directory. We are using an SAT example key and certificate here.

Open a command-line console in your new directory (see hint below). It should contain just your 3 files.

> dir
 Directory of C:\Scratch\test1
15/12/2017  03:42 PM    <DIR>          .
15/12/2017  03:42 PM    <DIR>          ..
17/05/2017  11:06 PM             1,533 CSD01_AAA010101AAA.cer
16/05/2017  06:49 PM             1,298 CSD01_AAA010101AAA.key
04/12/2017  05:26 PM             3,952 miarchivo-base.xml
               3 File(s)          6,783 bytes

Do Checks

Make sure FirmaSAT is working in the console and check the correct version of the diFirmaSAT2 library is installed (in this case it's 80200 = 8.2.0). The latest version is latest version number

> firmasat LIBINFO
FirmaSAT.exe Version 8.2.[32] (32-bit) (Dec 10 2017 20:45:57).
Library diFirmaSAT2:
  Version:  80200
  Module:   C:\Windows\SYSTEM32\diFirmaSAT2.dll
  Platform: Win32
  Compiled: Dec 10 2017 20:39:06
  Licence:  D

Check the XML structure is OK.
```
> firmasat XMLOK miarchivo-base.xml
OK
```
If there is a problem here, edit the XML file to fix it, then repeat.
Check the certificate serial number matches the value of the NoCertificado attribute.
```
> firmasat NUMBERCERT CSD01_AAA010101AAA.cer
30001000000300023708

> firmasat ATTRIBUTE -a NoCertificado -e "" miarchivo-base.xml
30001000000300023708
```
These two values must match. If not, edit your XML file to correct the NoCertificado attribute. In our case we would need to have NoCertificado="30001000000300023708".
Check the certificate and private signing key match.
```
> firmasat KEYCHECK -i CSD01_AAA010101AAA.cer -k CSD01_AAA010101AAA.key -p 12345678a
OK
```
If you have an error here, check you have the correct key and certificate files, and that your password is correct.
Sign the XML document using your private signing key and certificate. Note the -s @ option to display status if OK.
```
> firmasat signxml -c CSD01_AAA010101AAA.cer -k CSD01_AAA010101AAA.key -p 12345678a -i miarchivo-base.xml -o miarchivo-signed.xml -s @
STATUS: 0
ERRORDESCRIPTION: OK
DATETIMECREATED: Fri Dec 15 15:53:57 2017
```
If this works successfully then the output file is almost certainly a valid and verifiable signed document. Compare this to any earlier signed document that caused a problem.

Check the XML of this new document.

> firmasat XMLOK miarchivo-signed.xml
OK

Verify the new signature.

> firmasat VERIFYSIG miarchivo-signed.xml
OK

Compute the digest of the pipe string (cadena original).

> firmasat FORMDIGEST miarchivo-signed.xml
0ff1274e51fbb090489588d832bb1b5b36543302decbb0a5490839b8c99e8755

Extract the digest from the signature.
```
> firmasat EXTRACTDIGEST miarchivo-signed.xml
0FF1274E51FBB090489588D832BB1B5B36543302DECBB0A5490839B8C99E8755
```
These two digest values should match (upper/lower case excepted). For a CFDiv3.3 document they should be exactly 64 characters long.
Finally, repeat the last 4 steps on any existing signed document you have that is failing to validate. That is, do the XMLOK, VERIFYSIG, FORMDIGEST and EXTRACTDIGEST actions on your "failing" XML document.

A batch file to do the above

A Windows batch file to do the above: DoSigChecks.bat. Change the filenames to suit.

The file created by my program is different

So the file created by your program is different from the signed file produced using the above procedure. What could be the reason? Some suggestions:

You are still using the option flag to specify the digest algorithm: Why has my CFDiv3.3 document been signed using SHA-1?
Your program is actually calling an older version of FirmaSAT. Use the SAT_Version function or the General.Version Method in your program to check. If the version number is different, reinstall the latest version and make sure no old copies of diFirmaSAT2.dll are present.
If you are using the "memory only" functions like Sat.SignXmlToBytes, you need to be especially careful in how you handle the output. See Signing a document in memory: Using Sat.SignXmlToBytes.

Still got a problem?

See How to Get Technical Support. Please make sure you include all extra details required, including output from the above procedure. Don't send any files. We'll contact you.

Open a command-line console in a given directory

Here is a cute way to open a command-line console in a given directory from Windows File Explorer.

Open the directory in Windows File Explorer.
Press Alt+D
Type cmd
Press Enter

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Scratch\test1>

Contact us

To contact us or comment on this page, please send us a message.

This page last updated 17 August 2025