From the spec:
To confirm the validity of a manifest, a signature is included in every manifest. User Agents <strong class="rfc">must</strong> validate the signature of a manifest whenever the publication is opened. Signature for the audiobook manifest is very similar to Readium LCP and reuses terms defined in the Readium Web Publication Manifest for individual resources in the reading order. Signature information is contained in `http://www.feedbooks.com/audiobooks/signature` object in `metadata`: | Key | Semantics | Type | Required? | | ----- | --------- | -------- | --------- | | `algorithm` | Identifies the algorithm used to sign the manifest. | URI | Yes | | `issuer` | Identifies the issuer of the signature. | URI | Yes | | `value` | Contains the signature. | Base-64 encoded octet sequence | Yes | To calculate the validity of this signature, the User Agent <strong class="rfc">must</strong>: - ensure that the `issuer` is present in a list of well-known issuers and that its associated certificate is still valid - use the JSON from the manifest, but remove the `http://www.feedbooks.com/audiobooks/signature` section from it - follow the [guidelines from the Readium LCP specification regarding JSON canonicalization](https://readium.org/lcp-specs/lcp.html#53-canonical-form-of-the-license-document) - validate the signature according to the `algorithm` specificed in the manifest *Example 3: Signature Object* ```json "http://www.feedbooks.com/audiobooks/signature": { "algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "issuer": "https://www.cantookaudio.com", "value": "eKLux/4TtJc6VH6RTOi5lBMh9mT1j2y1z50OruWZgy8QjyPMjDV+aVZWUt7OUTinUHQfWNPBB6DxixgTZ07TQsix4uScL2dJZRQTjUKKHv3he7oJdOkcxjWDh51Q6U2KbDfC2MReG/+Qa4meoI5BN0Q8FKIEFMDZJ2KQTSRj13ZETaD0Nwz+8d6IN7csQGFJHvW/bBJthty+eZNzIr+VE0Kf02OS4yX+wvsExfRabvHlfimT1uUTWc89CgPAuM+Y7vdtjb+B3YFr7ibXATk6lQJkXzKol9ms6vkNwnvxzXwsQ+p1ZjejH1LOYADvedl/ItPrBGkhmq7bbUz91jUd+w==" } ```
We need to get the "list of well-known issuers" and the corresponding list of certificates. It's not clear to me whether this list is static or dynamically generated.
- is cloned by
-
SIMPLY-2507 Validate signature of Feedbooks audio manifest on each publication open
- Done
- relates to
-
SIMPLY-2944 Retrieve Feedbooks key at runtime and respect Cache-Control headers
- Done