From 0d64bfde56f1d2dc0d4475684c6fbcfa25c42362 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 18 Aug 2014 10:10:54 +0000
Subject: [PATCH 01/11] Update to new eduGAIN signing certificate (same public
 key).

---
 mdx/int_edugain/beans.xml          |  2 +-
 mdx/int_edugain/edugain-signer.crt | 15 ---------------
 mdx/int_edugain/mds-2014.cer       | 18 ++++++++++++++++++
 3 files changed, 19 insertions(+), 16 deletions(-)
 delete mode 100644 mdx/int_edugain/edugain-signer.crt
 create mode 100644 mdx/int_edugain/mds-2014.cer

diff --git a/mdx/int_edugain/beans.xml b/mdx/int_edugain/beans.xml
index da39f23f..998dc5e9 100644
--- a/mdx/int_edugain/beans.xml
+++ b/mdx/int_edugain/beans.xml
@@ -67,7 +67,7 @@
     <bean id="int_edugain_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
-                <constructor-arg value="${basedir}/mdx/int_edugain/edugain-signer.crt"/>
+                <constructor-arg value="${basedir}/mdx/int_edugain/mds-2014.cer"/>
             </bean>
         </property>
     </bean>
diff --git a/mdx/int_edugain/edugain-signer.crt b/mdx/int_edugain/edugain-signer.crt
deleted file mode 100644
index c6c6043b..00000000
--- a/mdx/int_edugain/edugain-signer.crt
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC1DCCAbygAwIBAgIETCJV1DANBgkqhkiG9w0BAQUFADAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgG
-A1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwHhcNMTAwNjIzMTg0MzMyWhcNMTQwODAxMTg0MzMyWjAs
-MQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCRfl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGC
-O29S4JHBXHI/U57yNbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74
-/vapRlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZndcMPpgsMXyG2A
-Z4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVheJjVmoD0b9V/KQ0BF/1zry2jf
-WlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3FzRLHXqF2N2f592tzcTeDZ11ejAgMBAAEwDQYJ
-KoZIhvcNAQEFBQADggEBAGC8iCKBUzmNIhikaCImp8WIMoI9VMYf/iBGcovaujRW85BmVfE0qj2y
-G2BfuA8RkxX7wayvb6znA7HSuQHpdVoI6poPbaW5ynZy35G3pzKs7dyZo6oGivE1Cj7PqJHXLICJ
-in3pKWGfHLkkYa64B32pXy7t42Rlvn2uog5MEYCgo4jnfhxnw0iPFJTHEy3x/PJ5Yxe5o/fDIUXt
-bIb0R0Z6Tym34YsUQQvmT11vfPPsFVc6Nkda0xo2DBxaPfw3ieTojimmnToPLFJL9DEEWKSSrIZQ
-YYrop0ftnQRhkFiu2TMYXiIiwKgLXKz7VybtcIMjt/tClNsDWTlIxwwFnNo=
------END CERTIFICATE-----
diff --git a/mdx/int_edugain/mds-2014.cer b/mdx/int_edugain/mds-2014.cer
new file mode 100644
index 00000000..868e6c45
--- /dev/null
+++ b/mdx/int_edugain/mds-2014.cer
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1DCCAbwCCQDDDZyGtn6K8TANBgkqhkiG9w0BAQUFADAsMQ4wDAYDVQQKEwVH
+RUFOVDEaMBgGA1UEAxMRZWR1R0FJTiBTaWduZXIgQ0EwHhcNMTQwNzAyMTQzNDQ5
+WhcNMTkwNzAxMTQzNDQ5WjAsMQ4wDAYDVQQKEwVHRUFOVDEaMBgGA1UEAxMRZWR1
+R0FJTiBTaWduZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR
+fl1zhkaFveJvJtS03bRIO3k77q2s5m+c6sQ83j71rIad+vGCO29S4JHBXHI/U57y
+NbNLgoKzl0MI4WQrs4KT/y+LPMFB9M0lNrALQd/op6PNc7CWKMN1yV8V/L74/vap
+Rlb90gPVJABHmoAfQmjyMXLW38KLwzK1qEpKUIxPBfQMBawmh0gC2T5ndZndcMPp
+gsMXyG2AZ4QGSOt4tgpspjTSRY++X+gi9WUuWzsEHHdFhCR9UYQ6+1glMVheJjVm
+oD0b9V/KQ0BF/1zry2jfWlchFeILlWbWgiWsIBA4BPNHqFW42qGgUr9DI3FzRLHX
+qF2N2f592tzcTeDZ11ejAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACq0ER17moQB
+/39SstbsWdpGQMIsrHZ+ERF7jYdjnE/63xBfMIVFQo2G1PW0cZ1ckpLIQMyKyTAv
+9RAVxv3WVnQ9IGh715jP/QHH7ycTM7oE5XdpNzNMRDMevrtTa1T/GX6G6+cc73JG
+VoJ9JQNXbLv5bspyG9kkIu9VQqUqlrUWTjzBBysAYj4kR1gorrUmI7l2GBrrcGej
+Q57VXdUxaCKzQita0aSSzbHQ+2BxcvYV1r4QWm6Jv8HTn3c4B1d6QbaSEgGHSCkp
+CxwOq82gt1OM/hOz7wzkIQohaYEo3koNlGsat5Hc24VffcosRmNFYmGU+dCnwHDO
+YuxCFwLHAcg=
+-----END CERTIFICATE-----

From 4903b5c977c3dd0dd1f0c65678f2ebd64fcd9c7f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 18 Aug 2014 12:49:34 +0000
Subject: [PATCH 02/11] Trim whitespace in imported md:OrganizationURL
 elements.

---
 mdx/common-beans.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index 6158edc6..fcb48fa8 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -609,6 +609,7 @@
     -->
     <bean id="md-NameIDFormat"            parent="QName" c:_0-ref="md_namespace" c:_1="NameIDFormat"/>
     <bean id="md-OrganizationDisplayName" parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationDisplayName"/>
+    <bean id="md-OrganizationURL"         parent="QName" c:_0-ref="md_namespace" c:_1="OrganizationURL"/>
 
     <!--
         Basic EntitiesDescriptor disassembler pipeline stage.
@@ -1022,6 +1023,7 @@
             <set>
                 <ref bean="md-NameIDFormat"/>
                 <ref bean="md-OrganizationDisplayName"/>
+                <ref bean="md-OrganizationURL"/>
                 <ref bean="mdui-InformationURL"/>
             </set>
         </property>

From 01ebc6204b2fecedb0b18ecc5da2a0bea653ce11 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 18 Aug 2014 15:31:44 +0000
Subject: [PATCH 03/11] Trim whitespace in imported mdui:Logo elements.

---
 mdx/common-beans.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index fcb48fa8..37e99e1f 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -738,6 +738,7 @@
     -->
     
     <bean id="mdui-InformationURL" parent="QName" c:_0-ref="mdui_namespace" c:_1="InformationURL"/>
+    <bean id="mdui-Logo"           parent="QName" c:_0-ref="mdui_namespace" c:_1="Logo"/>
 
     <bean id="stripMDUIDiscoHints" parent="ElementStrippingStage"
         p:id="stripMDUIDiscoHints"
@@ -1025,6 +1026,7 @@
                 <ref bean="md-OrganizationDisplayName"/>
                 <ref bean="md-OrganizationURL"/>
                 <ref bean="mdui-InformationURL"/>
+                <ref bean="mdui-Logo"/>
             </set>
         </property>
     </bean>

From 5b994edd8787e5beac0feb67eaad44b1189e9bf5 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 22 Aug 2014 13:47:35 +0000
Subject: [PATCH 04/11] Implement export preview aggregate.

Initial contents are the same as the export aggregate.
---
 .gitignore          |  1 +
 build.xml           | 14 +++++++++++
 mdx/uk/generate.xml | 60 ++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 72 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 364d8b18..2194db9e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -141,6 +141,7 @@
 /xml/member-dates.txt
 /xml/ukfederation-metadata-master.xml
 /xml/ukfederation-export-unsigned.xml
+/xml/ukfederation-export-preview-unsigned.xml
 /xml/ukfederation-test-unsigned.xml
 /xml/ukfederation-export.xml
 /xml/ukfederation-test.xml
diff --git a/build.xml b/build.xml
index 9f9fb520..72866825 100644
--- a/build.xml
+++ b/build.xml
@@ -107,6 +107,8 @@
     <property name="md.prod.unsigned"   value="ukfederation-metadata-unsigned.xml"/>
     <property name="md.test.unsigned"   value="ukfederation-test-unsigned.xml"/>
     <property name="md.export.unsigned" value="ukfederation-export-unsigned.xml"/>
+    <property name="md.export.preview.unsigned"
+                                        value="ukfederation-export-preview-unsigned.xml"/>
     <property name="md.back.unsigned"   value="ukfederation-back-unsigned.xml"/>
     <property name="md.wayf.unsigned"   value="ukfederation-wayf-unsigned.xml"/>
     <property name="md.cdsall.unsigned" value="ukfederation-cdsall-unsigned.xml"/>
@@ -118,6 +120,8 @@
     <property name="md.prod.signed"     value="ukfederation-metadata.xml"/>
     <property name="md.test.signed"     value="ukfederation-test.xml"/>
     <property name="md.export.signed"   value="ukfederation-export.xml"/>
+    <property name="md.export.preview.signed"
+                                        value="ukfederation-export-preview.xml"/>
     <property name="md.back.signed"     value="ukfederation-back.xml"/>
     <property name="md.wayf.signed"     value="ukfederation-wayf.xml"/>
     <property name="md.cdsall.signed"   value="ukfederation-cdsall.xml"/>
@@ -280,6 +284,7 @@
                 <include name="${md.test.signed}"/>
                 <include name="${md.back.signed}"/>
                 <include name="${md.export.signed}"/>
+                <include name="${md.export.preview.signed}"/>
             </fileset>
         </scp>
     </target>
@@ -352,6 +357,7 @@
         <VFY.remote i="${md.test.signed}"/>
         <VFY.remote.both i="${md.back.signed}"/>
         <VFY.remote i="${md.export.signed}"/>
+        <VFY.remote i="${md.export.preview.signed}"/>
         <echo>Verification completed.</echo>
     </target>
 
@@ -413,6 +419,7 @@
                WAYF/CDS aggregates
                test aggregate
                export aggregate
+               export preview aggregate
                fallback aggregate
                statistics
         -->
@@ -427,6 +434,7 @@
         <MDNORM.noblank i="${xml.dir}/${md.cms.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.test.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.export.unsigned}"/>
+        <MDNORM i="${xml.dir}/${md.export.preview.unsigned}"/>
         <MDNORM i="${xml.dir}/${md.back.unsigned}"/>
         <fixcrlf file="${xml.dir}/ukfederation-stats.html" eol="lf" encoding="UTF-8"/>
 
@@ -809,6 +817,9 @@
         <echo>Signing UK export metadata.</echo>
         <SIGN.uk i="${md.export.unsigned}" o="${md.export.signed}" digest="SHA-256"/>
 
+        <echo>Signing UK export preview metadata.</echo>
+        <SIGN.uk i="${md.export.preview.unsigned}" o="${md.export.preview.signed}" digest="SHA-256"/>
+
         <echo>Signing UK fallback metadata.</echo>
         <SIGN.uk i="${md.back.unsigned}" o="${md.back.signed}" digest="SHA-256"/>
 
@@ -856,6 +867,9 @@
         <echo>Verifying signed UK export metadata.</echo>
         <XMLSECTOOL.VFY.uk i="${md.export.signed}"/>
 
+        <echo>Verifying signed UK export preview metadata.</echo>
+        <XMLSECTOOL.VFY.uk i="${md.export.preview.signed}"/>
+
         <echo>Verifying signed UK fallback metadata.</echo>
         <VFY.uk.both i="${md.back.signed}"/>
 
diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 0ca659de..4ab79057 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -724,6 +724,56 @@
         </property>
     </bean>
     
+    <!--
+        ***********************************************************
+        ***                                                     ***
+        ***   E X P O R T   P R E V I E W   A G G R E G A T E   ***
+        ***                                                     ***
+        ***********************************************************
+    -->
+    
+    <bean id="uk_exportPreviewPipeline" parent="SimplePipeline"
+        p:id="uk_exportPreviewPipeline">
+        <property name="stages">
+            <list>
+                <!--
+                    Enforce IdP display name uniqueness before assembling aggregate
+                -->
+                <ref bean="check_dup_display"/>
+                <ref bean="errorTerminatingFilter"/>
+                
+                <ref bean="stripUkfedlabelNamespace"/>
+                <ref bean="stripWayfNamespace"/>
+                <ref bean="stripKeyNames"/>
+                <ref bean="uk_assemble"/>
+                <ref bean="stripEntityScopes"/>
+                <ref bean="removeEmptyExtensions"/>
+                <ref bean="uk_finaliseExport"/>
+                <ref bean="uk_normaliseExport"/>
+                
+                <!--
+                    Schema validity and other checks MUST pass.
+                    
+                    These are a subset of the publishability tests applied to
+                    aggregates published to federation members.
+                -->
+                <ref bean="checkSchemas"/>
+                <ref bean="check_aggregate"/>
+                <ref bean="check_namespaces"/>
+                <ref bean="errorTerminatingFilter"/>
+                
+                <bean parent="SerializationStage" p:id="serializeUnsignedExportPreviewAggregate">
+                    <property name="outputFile">
+                        <bean class="java.io.File">
+                            <constructor-arg value="${basedir}/xml/ukfederation-export-preview-unsigned.xml"/>
+                        </bean>
+                    </property>
+                </bean>
+                
+            </list>
+        </property>
+    </bean>
+    
     <!--
         *************************************
         ***                               ***
@@ -884,12 +934,12 @@
                 -->
                 
                 <!--
-                    Fork a new output pipeline for the export aggregate.
+                    Fork a new output pipeline for the export and export preview aggregates.
                     
-                    The export aggregate only includes UK-registered entities,
+                    These aggregates only include UK-registered entities,
                     so the fork needs to occur before any others are introduced.
                     
-                    The export aggregate is also intended to reflect the registered
+                    The export aggregates are also intended to reflect the registered
                     metadata as closely as possible, so the fork must happen before
                     too many UK-specific transformations are performed.
                 -->
@@ -901,6 +951,10 @@
                                 <constructor-arg ref="uk_exportPipeline"/>
                                 <constructor-arg ref="uk_exportSelector"/>
                             </bean>
+                            <bean class="net.shibboleth.utilities.java.support.collection.Pair">
+                                <constructor-arg ref="uk_exportPreviewPipeline"/>
+                                <constructor-arg ref="uk_exportSelector"/>
+                            </bean>
                         </list>
                     </property>
                     <property name="waitingForPipelines" value="true"/>

From 78abffdd2246e601e4cfcb14e9c343658531d412 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Fri, 22 Aug 2014 14:22:04 +0000
Subject: [PATCH 05/11] Switch export preview aggregate to opt-out.

---
 mdx/uk/generate.xml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index 4ab79057..ed42761f 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -732,6 +732,11 @@
         ***********************************************************
     -->
     
+    <bean id="uk_exportPreviewSelector" class="net.shibboleth.metadata.dom.XPathItemSelectionStrategy">
+        <constructor-arg value="/md:EntityDescriptor[not(md:Extensions/ukfedlabel:ExportOptOut)]"/>
+        <constructor-arg ref="commonNamespaces"/>
+    </bean>
+    
     <bean id="uk_exportPreviewPipeline" parent="SimplePipeline"
         p:id="uk_exportPreviewPipeline">
         <property name="stages">
@@ -953,7 +958,7 @@
                             </bean>
                             <bean class="net.shibboleth.utilities.java.support.collection.Pair">
                                 <constructor-arg ref="uk_exportPreviewPipeline"/>
-                                <constructor-arg ref="uk_exportSelector"/>
+                                <constructor-arg ref="uk_exportPreviewSelector"/>
                             </bean>
                         </list>
                     </property>

From 0e210b7ccc1baf53de2ad2a21600cfb910404d6a Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 25 Aug 2014 12:50:15 +0000
Subject: [PATCH 06/11] Normalise xenc namespace prefix.

---
 mdx/ns_norm.xsl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/mdx/ns_norm.xsl b/mdx/ns_norm.xsl
index 1e71bc9c..2c907602 100644
--- a/mdx/ns_norm.xsl
+++ b/mdx/ns_norm.xsl
@@ -46,6 +46,7 @@
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label"
 	xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF"
+	xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
 	
 	exclude-result-prefixes="md"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -184,6 +185,12 @@
 			<xsl:apply-templates select="node()|@*"/>
 		</xsl:element>
 	</xsl:template>
+
+	<xsl:template match="xenc:*">
+		<xsl:element name="xenc:{local-name()}">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>
 	
 		
 	<!--

From c6017457f355bd649ae9a127b61fd325558d6e37 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 25 Aug 2014 12:50:58 +0000
Subject: [PATCH 07/11] Return to full verification of all aggregates while the
 MPS uses metadatatool.

---
 build.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/build.xml b/build.xml
index 72866825..38e8fb3d 100644
--- a/build.xml
+++ b/build.xml
@@ -354,10 +354,10 @@
         <VFY.remote.both i="${md.prod.signed}"/>
         <VFY.remote.both i="${md.wayf.signed}"/>
         <VFY.remote.both i="${md.cdsall.signed}"/>
-        <VFY.remote i="${md.test.signed}"/>
+        <VFY.remote.both i="${md.test.signed}"/>
         <VFY.remote.both i="${md.back.signed}"/>
-        <VFY.remote i="${md.export.signed}"/>
-        <VFY.remote i="${md.export.preview.signed}"/>
+        <VFY.remote.both i="${md.export.signed}"/>
+        <VFY.remote.both i="${md.export.preview.signed}"/>
         <echo>Verification completed.</echo>
     </target>
 
@@ -862,13 +862,13 @@
         <VFY.uk.both i="${md.cdsall.signed}"/>
 
         <echo>Verifying signed UK test metadata.</echo>
-        <XMLSECTOOL.VFY.uk i="${md.test.signed}"/>
+        <VFY.uk.both i="${md.test.signed}"/>
 
         <echo>Verifying signed UK export metadata.</echo>
-        <XMLSECTOOL.VFY.uk i="${md.export.signed}"/>
+        <VFY.uk.both i="${md.export.signed}"/>
 
         <echo>Verifying signed UK export preview metadata.</echo>
-        <XMLSECTOOL.VFY.uk i="${md.export.preview.signed}"/>
+        <VFY.uk.both i="${md.export.preview.signed}"/>
 
         <echo>Verifying signed UK fallback metadata.</echo>
         <VFY.uk.both i="${md.back.signed}"/>

From f010267655a994e8e63ec13877b2a4722c9c7ae9 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 26 Aug 2014 08:41:28 +0000
Subject: [PATCH 08/11] Permit entity attributes in production aggregate.

---
 mdx/uk/generate.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mdx/uk/generate.xml b/mdx/uk/generate.xml
index ed42761f..91b25280 100644
--- a/mdx/uk/generate.xml
+++ b/mdx/uk/generate.xml
@@ -338,7 +338,6 @@
                 <ref bean="errorTerminatingFilter"/>
                 
                 <ref bean="uk_assemble"/>
-                <ref bean="stripMdattrNamespace"/>
                 <ref bean="fixup_EncryptionMethod"/>
                 <ref bean="performOtherFixups"/>
                 <ref bean="uk_finaliseProduction"/>

From b5909af89db1ce9de07148c39fa872b6448bd075 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 26 Aug 2014 13:56:00 +0000
Subject: [PATCH 09/11] Move UKf verification certificate and keystore into the
 mdx tree.

---
 build.xml                               |   4 ++--
 {build => mdx/uk}/ukfederation-2012.jks | Bin
 {build => mdx/uk}/ukfederation-2012.pem |   0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename {build => mdx/uk}/ukfederation-2012.jks (100%)
 rename {build => mdx/uk}/ukfederation-2012.pem (100%)

diff --git a/build.xml b/build.xml
index 38e8fb3d..9dbc2387 100644
--- a/build.xml
+++ b/build.xml
@@ -609,7 +609,7 @@
         <attribute name="i"/>
         <sequential>
             <MDT i="@{i}" o="${null.device}"
-                keystore="${build.dir}/ukfederation-2012.jks"
+                keystore="${mdx.dir}/uk/ukfederation-2012.jks"
                 alias="${keystore.uk.vfy.alias}"/>
         </sequential>
     </macrodef>
@@ -702,7 +702,7 @@
                 <args>
                     <arg value="--verifySignature"/>
                     <arg value="--certificate"/>
-                    <arg value="${build.dir}/ukfederation-2012.pem"/>
+                    <arg value="${mdx.dir}/uk/ukfederation-2012.pem"/>
                     <!--
                     <arg value="- -quiet"/>
                     -->
diff --git a/build/ukfederation-2012.jks b/mdx/uk/ukfederation-2012.jks
similarity index 100%
rename from build/ukfederation-2012.jks
rename to mdx/uk/ukfederation-2012.jks
diff --git a/build/ukfederation-2012.pem b/mdx/uk/ukfederation-2012.pem
similarity index 100%
rename from build/ukfederation-2012.pem
rename to mdx/uk/ukfederation-2012.pem

From 6bbd4d3fcc53fe3c7dc6bae37fc9c587e64170ee Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 26 Aug 2014 14:07:02 +0000
Subject: [PATCH 10/11] Remove redundant copy of the UKf verification
 certificate.

---
 mdx/uk/beans.xml           |  2 +-
 mdx/uk/metadata-signer.crt | 23 -----------------------
 2 files changed, 1 insertion(+), 24 deletions(-)
 delete mode 100644 mdx/uk/metadata-signer.crt

diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
index 25c67e10..a643801f 100644
--- a/mdx/uk/beans.xml
+++ b/mdx/uk/beans.xml
@@ -74,7 +74,7 @@
     <bean id="uk_signingCertificate" parent="X509CertificateFactoryBean">
         <property name="certificateFile">
             <bean class="java.io.File">
-                <constructor-arg value="${basedir}/mdx/uk/metadata-signer.crt"/>
+                <constructor-arg value="${basedir}/mdx/uk/ukfederation-2012.pem"/>
             </bean>
         </property>
     </bean>
diff --git a/mdx/uk/metadata-signer.crt b/mdx/uk/metadata-signer.crt
deleted file mode 100644
index a1f3a57a..00000000
--- a/mdx/uk/metadata-signer.crt
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDxzCCAq+gAwIBAgIJANixLkdCTNtvMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
-BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
-IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0
-aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xMjEwMTEwNzA4MThaFw0xNDExMTYwNzA4
-MThaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
-dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD
-DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF
-vrecrO2wG5CpyqB1mZ+MlKf4jKcTMGBIXC2klD+FyrEdJMBhO6vRmJnNphg3uNZM
-ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5
-369EHXPItApAEeMlHebbWndl5n2I16nya/LeaoiU9qJ6sVz4xd1UtUesewrmYVKg
-PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE
-gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O
-BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1
-Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAByZ5haR
-hr8QqCo8DWO1qgVkUpPR1e/EFl+zV633esn5GJxIkD95va1Lxv84BmLBTD+EtX3T
-OkrXccIL1PCUkGmP3xVsh99mzsVEGmfTC0wu8PYDz1UvUwQLcjg6YQDN3GmA1EUW
-gt2cL8F4Q4/saowkkYjt0wWGQ/SNhwnGWwpo4ViTnoh3sNgr5gPHlozDGkL1NPG1
-bxdmyxmkr778yExS9xoEC4+Bnm7ApJyv3R2L9fpxCfEjE4tf3rWiSQL0Ss5etZNH
-9qmw7sGZ7xX0g6rcki/r5Y9u0v/rRKvIOw8/YGW5B2P3Ij/paJWzasZsdsgj0pDJ
-buk20xhyzBW6D/I=
------END CERTIFICATE-----

From 352937db81aac7374fc5daf6ef4c19bec9018919 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Tue, 26 Aug 2014 14:41:26 +0000
Subject: [PATCH 11/11] Add prospective 2014 UKf verification certificate and
 keystore.

---
 mdx/uk/ukfederation-2014.jks | Bin 0 -> 1040 bytes
 mdx/uk/ukfederation-2014.pem |  23 +++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 mdx/uk/ukfederation-2014.jks
 create mode 100644 mdx/uk/ukfederation-2014.pem

diff --git a/mdx/uk/ukfederation-2014.jks b/mdx/uk/ukfederation-2014.jks
new file mode 100644
index 0000000000000000000000000000000000000000..b06e2eb2e59ebae64f10a91a7f3ec26bdee41b8b
GIT binary patch
literal 1040
zcmezO_TO6u1_mY|W(3nbrP*nzDXB$?C7JnoKtT_o;J7RX)(AaQ14{-5=F<jE%*PFy
znAR^~W@2Pw;$(QEx3FJ#(>FE)UN%mxHjlRNyo`+8tPBQKhTI06Y|No7Y{E?LPKM3~
zjvx*fk5#C*f@5-WYH_iGZ(?3zdTMTJUWtMm+)9PC{2~R{l+t9d0~8YTQWSzxi&GPe
zk~0j|3{*gdF!RU)4MEc4n_7~Xl30?c5S*Ewms(^XC(dhVVqjrpW@uz&U}O;`&TDLL
zXk=^%<qoLZni!RkgNl)rfw_s1pTVGsk&CH`k&)rm+M3gcW=K!id11#tGgsSAcAkqz
zPtA2@F6!(O5{aATx^MfOHE%aaPgr?sLFvr-JyVwd=vgjokl+!cyJU)e>#2>hDhCp+
zS6`el^XxJS^BvcGCY|M7(Kd6|4Vky^E$+`e)3)e%_`MMAEGFF}KN@FU&Me!u?|#ZI
zmvdbPC0Ywk)Hv?EzurZ*_{0`22f@dxvd?Zum8U+d?YO@3Q}(BOSshcpEvniW^W*5<
zkge`(s=1ye1}(7R?M(2>*q8bGdbRMJY@IAU=lqW;YkYgvTP(`9oliWYH20{+U)Rs;
zZub{O{hMCo(qx^_Z~U5FCSTiSe*;T)&YGXw{J42`N^G*@*NPGKe#*qm$iTQbz`)Ny
z78uvEd@N!tBL40z(mlua987reRm=W+)13oNS6K|?LDI@B5(Z)o*cI@A6bQ4h8Za|5
z{zndTVDbcpIU~cSlwR9Y4tqb`7mg2oyL*oFjK@ve7-y_|(2+G$WX;qwJ@X_#uIoP1
zvgv#0qt;md2_l`wp;szd4{tZy(s6!jRsPHNZTmd>79Ev0-h9r+{+>Q}>BYVcT%Mh)
z|EX;?<wy$W^piQ*aJGeK{tnLUHICf3LVJRPzNXq7-;i4rY5s2F@AbaFBc8}e{=LCq
z#w2!N!^1uMni$#2o2S052>!$+YLdR~dko{<kc)@2Q;Q?Dg#xUD9OpZqv|i<9=6-GM
z{#Dm~ing6xdYQ4P+^;?=(q+%>m+NOuXjA(CH_N)8eTkgGqKAJQb#DsFuQrhgje7g#
us+-}$AnU~^+mhDZ6}S{rz0>czV!jPuMAF^bpSrv4zSiw4wfrx_<p%)z?w2kA

literal 0
HcmV?d00001

diff --git a/mdx/uk/ukfederation-2014.pem b/mdx/uk/ukfederation-2014.pem
new file mode 100644
index 00000000..bee705cd
--- /dev/null
+++ b/mdx/uk/ukfederation-2014.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIJAOwuoY8tsvYGMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
+BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u
+IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0
+aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xNDA4MjYxMjIwMjhaFw0zNzEyMzExMjIw
+MjhaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu
+dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD
+DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF
+vrecrO2wG5CpyqB1mZ+MlKf4jKcTMGBIXC2klD+FyrEdJMBhO6vRmJnNphg3uNZM
+ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5
+369EHXPItApAEeMlHebbWndl5n2I16nya/LeaoiU9qJ6sVz4xd1UtUesewrmYVKg
+PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE
+gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O
+BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1
+Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALJkjT3K
+QL3w3xNfVe27nEOY44K2AZiu4IhqmRSslcyMnhnxrovEhLL3ieKFXQ+QFIkzVdR5
+BcO3NrSIz5V6b+mHtr5IjqLFHzOzzjw/3i8LddGOsApJiav+JrU1CGJXCU4cwYDN
+hAyfuAlrrEEL2lWMU1L1ZTzHsG1yWTfukfuvTftY5BwZ/dgANgIWwLDhvL6CAQZ3
+g5XteFPyChU0Z7b3XAHdVNHDa2VzWSsSUDtSQZ9DyTuqSjZH1q2/qtdMcrbJpdMB
+cndOf1pZRLzb6a+akIYi//1qO48HpB4wouH9gS3ZER+rNBhVWu301UYxoVI7o8mG
+Yq7dENJce7lO9yE=
+-----END CERTIFICATE-----