Dears,
This is what I came up with after reading and experimenting with different PDF documents and files published on Zatca website:
To integrate with Zatca and Start issuing Zatca Compliant Invoices You will have to do the following:
Steps that need to be done one time:
1- Generate a private key and CSR file.
(Can be done with fatoora app)
2- Send the generated CSR to Zatca to Obtain CCSID. - Compliance CSID
(Can be done with a POST request to their API endpoint)
From this step, the api will give you a Temporary CCSID certificate + Secret + a request number.
3- Send the request number and use the CCSID+Secret for authorization to Zatca to obtain PCSID - Production CSID
(Can be done with a POST request to Zatca API endpoint)
From this step, the api will give you a PCSID Cert + Secret)
The PCSID is the cert that you will be using for signing invoices, and it is as well as the secret will be used for authorizing requests to send invoices to Zatca.
Now the steps that need to be done per invoice:
1- Generate an XML version of the invoice.
(For this, they give you a standard xml template in fatoora app that you can programmatically modify to reflect your invoice)
All details regarding the tags and what options, and what is allowed and not allowed for those tags can be found in a separate document on zatca website.
The XML at this point, should have the signing tags but they are filled with dummy incorrect data, but needed for the xml to be valid.
2- Generate QR code for the invoice using fatoora app and the generated XML.
The problem I don’t get here is that the XML is not yet the final version, yet the QR code should compute a hash for that XML, which will be different for the final invoice, making the hash of the QR code invalid ?