Getting "KEY-NOT-FOUND" with xmlsec1 on macos

Question

My attempt to sign a simple XML document with xmlsec1 is failing on MacOS due to:

$ xmlsec1 --sign --output doc-signed.xml --privkey-pem keysncerts/userkey.pem doc.xml
Enter password for "keysncerts/userkey.pem" file:
Signature status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to sign file "doc.xml"

The example key and xml document are taken directory from this Tutorial. This example works on RedHat Linux and Windows, but fails on MacOS. I have tried this with both Big Sur/x86 and Ventura/M1.

I used brew to install xmlsec:

brew install xmlsec1

Despite the error message, I am confident the key is found because same key/xml are signed successfully on other platforms, and because of the prompt for password on the key file. I have also tried locally generating a public/private key pair with a brew installed version of openssl, but signing still fails for the same reason.

Answer 1

I found a solution related to a recent update to libxmlsec that impacted pip installations on macos. This python-xmlsec issue has different symptoms. But the solution is a brew install with the previous known working libxmlsec version 1.2.37.

I followed the work around instructions they provided. Now running the command 'xmlsec1 --sign --output doc-signed.xml --privkey-pem keysncerts/userkey.pem doc.xml' completes successfully. Additional, xmlsec calls from python are working as well.

Once the fix is deployed, I'd recommend reinstalling the latest brew version again.

Answer 2

I have a workaround using docker:

Dockerfile:

FROM ubuntu:latest
WORKDIR /tmp
RUN apt-get update && apt-get install -y xmlsec1 openssl && apt-get clean && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["xmlsec1"]
CMD ["--help"]

# Build
docker build -t xmlsec1 .

# Run
docker run -i --rm -v .:/tmp:ro xmlsec1 --sign --privkey-pem privatekey.pem /dev/stdin < input.xml > output.xml