Help with Signature Validation Failure (CSID OK, Java SDK Valid, Signature FAILS)

Signing process
1

Hi everyone :waving_hand:

I’ve successfully obtained a CSID from binarySecurityToken using the TSTZATCA-Code-Signing profile and have passed the Java SDK 3.4.1 validation for [EN][KSA][QR][PIH].

However, signature validation consistently fails with the following errors:

CODE: xadesSignedPropertiesDigestValue, MESSAGE: wrong xadesSignedPropertiesDigestValue
CODE: signatureValue, MESSAGE: wrong signature Value
CODE: signingCertificateDigestValue, MESSAGE: wrong signingCertificateDigestValue

I’ve followed both the “E-Invoicing Detailed Technical Guideline” (step 5, page 52) and the “SigningProcessUpdated.pdf”, ensuring:

  • The invisible SignedProperties template is populated correctly
  • The same values are used in both the actual invoice and the hashable version
  • SHA-256 is applied as described, followed by base64 encoding (ZATCA style: hash → hex → base64)

Despite this, I can’t get [SIGNATURE] to pass validation. :downcast_face_with_sweat:

Has anyone encountered this or can offer insight into how they solved it?

Happy to share sanitized XML snippets or hash output if needed.
Thanks in advance for any guidance!

2

Dear @Hiro

Thanks for reaching out,

To provide comprehensive support as usual, can I kindly ask you to mention the steps that you followed from the beginning (from generating the CSR)

Additionally, **Note that the latest SDK version is 3.4.1 ** ensure to install it to be comply with all the new business rules.

Thanks,
Ibrahem Daoud.

3

Hi Ibrahem,

Thanks for the approval and getting back to me!

Funny thing, if you scroll up a bit in my original post, you’ll spot that I did mention using SDK version 3.4.1

I’ve successfully obtained a CSID from binarySecurityToken using the TSTZATCA-Code-Signing profile and have passed the Java SDK 3.4.1 validation for [EN][KSA][QR][PIH]

(guess we’re on the same page already :grinning_face_with_smiling_eyes:).

I’ve since uncovered the secret formula (no canonicalization or even linearization for the invisible SignedProperties node) and all validations are now passing locally :tada: — but the web validator is still throwing wrong X509IssuerName and wrong X509SerialNumber errors. Any insights on why the online tool https://sandbox.zatca.gov.sa/TestXML might still be grumpy? Or maybe (please correct me if I’m wrong) the web validator expects a certain CSID - PCSID (production) for example?..

Here’s my local Java SDK 3.4.1 SDK validation for the same invoice:

$ fatoora:sdk -validate -invoice /home/hiro/dev/projects/zatca-integration/invoices/signed/receipt-38715.xml
********** Welcome to ZATCA E-Invoice Java SDK 3.4.1 *********************
This SDK uses Java to call the SDK (jar) passing it an invoice XML file.
It can take a Standard or Simplified XML, Credit Note, or Debit Note.
It returns if the validation is successful or shows errors where the XML validation fails.
It checks for syntax and content as well.
You can use the command (fatoora -help) for more information.

****************************************************************
2025-05-07 13:13:49,210 [INFO] ValidationProcessorImpl - [XSD] validation result : PASSED
2025-05-07 13:13:50,113 [INFO] ValidationProcessorImpl - [EN] validation result : PASSED
2025-05-07 13:13:50,415 [INFO] ValidationProcessorImpl - [KSA] validation result : PASSED
2025-05-07 13:13:50,815 [INFO] ValidationProcessorImpl - [QR] validation result : PASSED
2025-05-07 13:13:50,956 [INFO] ValidationProcessorImpl - [SIGNATURE] validation result : PASSED
2025-05-07 13:13:50,961 [INFO] ValidationProcessorImpl - [PIH] validation result : PASSED
2025-05-07 13:13:50,961 [INFO] InvoiceValidationService -  *** GLOBAL VALIDATION RESULT = PASSED

Thanks again!

Best,
Hiro

4

Dear @Hiro

Thanks for your clarification,

Please note that you can only rely on the SDK validation results and the endPoint itself as they must be the same response, However regarding the sandbox it’s only to check the business rules as it’s contains it’s own certificate, and you will always receiving an error related to the certificate.

Now since you are receiving a pass response with no warnings or errors using SDK 3.4.1 I would recommend you to check and confirm if the API response the same.

Thanks,
Ibrahem Daoud.

5

hi hiro,
Please can you tell me how i create and privatekey and csr by using sdk