• Sign the xml file with an electronic signature. How to sign a digital signature file correctly. Encryption and decryption process

    Today, when almost all document flow becomes paperless, signing documents with help is commonplace.

    In the field of public procurement, submitted applications are signed electronically. This gives customers the guarantee that they are dealing with real participants. Also, contracts that are concluded as a result of government procurement come into force only after endorsement using an electronic digital signature.

    A digital signature is also required in the following situations:

    1. Reporting to regulatory authorities. You can submit it electronically to services such as the Federal Tax Service, Rosstat, Pension Fund and Social Insurance Fund. This greatly simplifies the transfer of information and increases accuracy: most services offer automatic error checking.
    2. Electronic document management (EDF). One of the most common uses, since a letter signed in this way corresponds to a paper letter with a stamp and a visa. Allows you to switch to paperless document flow both within the company and outside it.
    3. Government services. A citizen of the Russian Federation can endorse submitted applications to departments through the government services portal, participate in public initiatives, use a personal account on the Federal Tax Service website, and even apply for a loan.
    4. Invoices, contracts, official letters signed electronically can be used as evidence. According to the Arbitration Procedure Code of the Russian Federation, such a document is analogous to a paper one with a handwritten visa.

    What types of electronic signatures are there?

    An electronic signature is a “stamp” that allows you to identify its owner, as well as verify the integrity of the signed document. The types of digital signatures and the procedure for their execution have been approved. He established that there are three types of signatures:

    1. Simple. Commonly used for signing letters or specifications, confirmed using passwords, codes and other means, most often used in corporate EDI systems.
    2. Reinforced. It is obtained through the process of cryptographic processing of information and the use of a private key. Allows you to determine who signed the document, as well as the fact that changes were made after signing.
    3. Reinforced. It is similar to an unqualified one, but for its creation and verification, cryptographic protection technologies certified by the FSB of the Russian Federation are used. Such electronic signatures are issued only by accredited

    There are several ways to endorse a document. Let's look at the most common ones.

    We sign using the CryptoPRO CSP software package

    How to electronically sign a Word document(MS Word)

    1. Open the required file, click on the menu “File” - “Information” - “Add electronic signature (CRYPTO-PRO)”.

    2. Select the desired electronic signature, add a comment if necessary, and click “Sign”.

    3. If there are no errors, the system displays a window with successful signing.

    If the CryptoPRO Office Signature plugin is installed

    1. Open the desired file, select “File”, then “Add digital signature”.

    2. Similar to the previous option, select the required electronic signature, add a comment, if necessary, and click “Sign”.

    3. If there are no errors, the system displays a message that the document was successfully signed.

    How to electronically sign a PDF document(Adobe Acrobat PDF)

    1. Open the required PDF file, click on the “Tools” panel and see the “Certificates” label. Let's choose it.

    2. Click on “Apply a digital signature” and select the area on the file where the signature mark will be located.

    4. A window with a preview of the stamp will open. If everything is correct, then click “Sign”.

    5. The system will issue a notification about successful signing. That's all.

    Signing with the CryptoARM software package

    With this method, it is possible to encrypt all modern formats, as well as archives.

    So let's figure it out how to sign a digital signature document using CryptoARM.

    1. Open the “CryptoARM” program and select the very first action item - “Sign”.

    2. We carefully study the instructions of the ES Creation Master. Click “Next”.

    3. Click on “Select file”, go to the desired file, click on it and click “Next”.

    4. Select the file to sign and click “Next”.

    5. We see the “Output Format” window. If there are no mandatory requirements, then we leave the encoding as is. You can save in ZIP format (for sending by e-mail) or choose a location to save the final result. Click “Next”.

    6. In “Parameters” you can select a property, add a comment, and also select an attached electronic signature (attached to the source file) or detached (saved as a separate file), as well as additional parameters if desired. When everything is ready, click “Next”.

    7. Now you need to select a certificate; to do this, click “Select”, indicate the required certificate and click “Next”.

    8. At the next stage we see the final window with a brief description of the data. If next time the files are signed in the same order, you can save the profile. Click “Finish”.

    9. If there are no errors, the system will display a message indicating successful signing.

    Since the circulation of business documents and correspondence electronically began to gain popularity, the process of determining the authenticity of an electronic file and signing it has become extremely necessary. Working with electronic digital signatures and files of various formats has already become a common part of our lives. But for those who are faced with such an action for the first time, the question inevitably arises of how to sign an electronic signature file. Depending on the creation option, the method of affixing this signature also differs. Therefore, it is necessary to analyze the features of each method.

    Certification of texts created in XML

    If you have to sign a report compiled in XML, then it is worth considering that there are several options for carrying out this action.

    1. You can use the new Microsoft Office component - InfoPath 2003 to generate digital signatures in XML format.
    2. Creating an autograph, as for the usual format. In this case, you will need to use the CryptoPro program.

    Often, to sign reports with this format, it is necessary to create an additional attribute in its tag. A digital signature is entered into it from a character string, the length of which varies and which contains the value of the attributes. This approach, which is quite interesting, but nevertheless quite acceptable, can also be found quite often.

    Working with PDF format

    The question often arises of how to sign a file with an electronic signature if the document is created in PDF format. In order to generate and verify digital signatures of documentation created in PDF format, the CryptoPro company has developed the CryptoPro PDF program. This product is a way to generate and verify digital signatures for letters that were created in Adobe Acrobat and Adobe Reader programs.

    A fairly important fact is that CryptoPro is a free program, that is, to use it you do not have to pay for the services provided. To use this software, you will need to install it, and after that you will be able to check documents.

    Signing multi-file shipments

    Sometimes the question arises of how to sign EDS files if the shipment contains not one, but several acts. In this case, you can create your signature autograph separately for each of them.

    If this option is not possible for some reason, you can create an additional element of text type, where you will subsequently write the identification parameters of the document, as well as the hash function indicators of each individual file in the document. This will make things easier for both you and the recipient of the letter.

    According to Law 218-FZ “On State Registration of Real Estate”, electronic XML documents and scanned images of documents must be signed enhanced qualified electronic signature. All programs of the “Polygon” series, “Polygon Pro” and the “Signature Pro” program are signed with just such a signature.

    To sign:

      Get signature key(certificate) in Certification center. The list of accredited certification centers is published on the Rosreestr website (List of Certification Centers). You can get a certificate in our Certification center LLC "Program Center"

      Along with the signature, purchase and install the program on your computer CryptoPro CSP(it contains the required Russian signature standards), which can also be purchased from our Certification center LLC "Program Center"

    Note: other signing programs not required: CryptoARM (CryptoARM’s signature capabilities are similar to those of the programs in the “ Polygon», « Polygon Pro" and programs " Signature Pro»).

    Note: if you received the signature key from the Certification Center before the release of Law 63-FZ “On Electronic Signatures” (before July 1, 2013), then such a key is valid until January 1, 2014. It needs to be replaced with a new one for use in 2017. This is due to the fact that, according to the new law, the signature must contain the SNILS (Russian Pension Fund) certificate number.

    Software modules of the Polygon Pro platform

    Sign an electronic document in the software modules of the Polygon Pro platform

    To sign an XML file do the following:

    Note: If errors are detected, a protocol for checking the electronic document with warnings and/or errors will be displayed below the XML file structure. It is recommended to correct errors and also pay attention to warnings.

    Similarly, you can sign an XML file directly from the “ ViewXML", to do this, click on the button in the toolbar - « SubscribeXML-file» .

    • After clicking, a window will open with a list of installed certificates. Select the one you want and click « OK» .

    • Next, the program will sign the main document and display a success message.

    Note: in the same folder as the signed file, a signature file will be generated with the same name, with the extension * . sig.

    Sign a group of files in the software modules of the Polygon Pro platform

    The program has the ability to sign a group of files at the same time; to do this, do the following:

    Note: If the list contains files that do not need to be signed, then uncheck them to exclude them from the signing procedure.

    • Click on the button « Subscribe» , after which a window will open with a list of installed certificates. Select the one you want and click « OK» .

    • Next, the program will sign all documents and display a message about signing.

    Note: If errors occur during signing, a verification log will be displayed with warnings and/or errors. For correct signing, errors must be corrected.

    Sign the file in the software modules of the Polygon Pro platform

    The program has the ability to sign any existing file, for example, attached files to a project (scanned documents or image files), including the same way you can sign an electronic document (XML file).

    • Home" in the submenu of the button " Sign all» click on the button - « Subscribe…", after which a file selection window will open.

    • In the window that opens, select the file that you want to sign and click the " Open».

      A window will open with a list of installed certificates. Select the one you want and click " OK».

    • Next, the program will sign the selected document and display a message about readiness.

    Note: in the same folder as the signed file, a signature file will be generated with the same name, with the extension * . sig.

    Check the electronic signature in the software modules of the Polygon Pro platform

    If you received a signed file from the outside and would like to check whether the received file has been modified after it was signed, or simply check whether the file signature was generated correctly, run:

      On the ribbon of the software module in the tab " Home" in the submenu of the button " Sign all» click on the button « Check…».

      Select the file containing the signature (with the extension *. sig), which needs to be verified, or, if necessary, a signed file. If these two files are in different folders, the program will display a warning window where you need to click on the “ Repeat" and select the source file.

    • You will be given a protocol window with information whether the document was signed correctly, by whom and when, or information about the discrepancy with the source file, or if other errors occurred, a message about this will appear.

    Program "Signature Pro"

    For convenient interaction with Certification centerLLC "Program Center", management of digital certificates and private keys of electronic signatures, as well as for signing various files with an electronic signature, the SignaturePro program was developed.

    Instructions for signing files if you are not using programs from the Polygon, Polygon Pro or Signature Pro series.

    How to sign a file with an electronic digital signature?

    These instructions are exemplary; specific steps may depend on the software installed on your computer. Part of the instructions were completed in February 2012, but our programs provide a more convenient option for signing electronic document files enhanced qualified electronic signature.

    To sign electronic document files: boundary plan, map plan, technical plan With an electronic signature, you must verify the presence of installed programs:

      cryptoprovider "CryptoPro CSP";

      "Crypto ARM" - this program is necessary only when you do not use programs from the “Polygon” series, this program in terms of signing is identical to the programs from the “Polygon” series, so it is not needed; to sign files with programs of the "Polygon" series, see the previous page of the instructions; You can sign using both the “Polygon” series programs and the CryptoARM program, if you think that this will be more convenient than using the existing capabilities of the “Polygon” series programs;

    Each file (XML, scan of a printed document and application files) must be signed, since the cadastral registration authority only accepts pairs of files: the original file and the signature file for it. In order to sign a file, you need to select it in the Explorer window and right-click (RMB), a context menu will appear, in it you should select “CryptoARM”, and then “ Subscribe…».



    Then make sure the file name is correct



    Important! set the switch to position " DER encoding", specify the folder for the output files at your discretion. Press the button " Next" In the next window, assign signature parameters


    In this window, the most important thing is to tick the “ Save signature in a separate file" Click the button Next" In the next window, click the button Choose»


    a certificate selection window will open


    in it, select the certificate of your key (look by the owner’s name). After selecting, click the button OK" And " Next" In the last window before signing the document, click the " Ready».

    Important! For each file, it is necessary to create a signature file, since only a pair is accepted: the original file (xml or other) + a signature for it (sig file).

    For a long time, the most pressing question for me was how and with what to sign documents and XML files with an electronic signature or a digital signature. This is good when you are in the office and all programs for signing documents and XML files are installed at your workplace. But in my work, situations often arose when it was necessary to make and sign documents, XML files, while being far from my workplace, or, as always, to do it urgently and now, while at home. It’s too expensive to buy and install software for signing electronically digitally at home, or on a laptop and carry it with you forever. Then I set out to find freely distributed programs on the Internet that make it possible to sign documents and XML files with an electronic digital signature - EDS. It is these programs, as well as one paid one, that we will consider below.

    To be sent to Rosreestr, and this is mandatory, all documents must be signed with an electronic digital signature (electronic digital signature), and sometimes you need to check your own or someone else’s digital signature.

    And so, let's look at how and with what software you can sign a document or XML file with an electronic digital signature. One of the programs is the GIS “Panorama” - “Map-2011” version 11.10.4. Signing documents works even in the unregistered version. The procedure for signing documents, files The list of programs that allow you to sign documents, XML files, EDS (electronic digital signature) for data exchange with the public services portal of the Federal Service for State Registration, Cadastre and Cartography, Rosreestr, via the Internet EDS is as follows: launch “Map-2011”, or “Mini Card”, press “F12” to bring up the application launch menu. In the window that appears, select a task electronic documents, further Formation of an electronic digital signature

    Signature file: select the file you want to sign, and, accordingly, the required certificate in the certificate. That's all, your document or XML file is signed with an electronic signature. If you want to check an existing signature, then select the signature file (file with the “sig” extension). Official website of GIS "" .

    The second program for signing documents and XML files is CryptoLine. Free, fully functional, allows you to sign and encrypt documents, as well as check digital signatures. You can download this program from the official website or download it via a direct link from the page of this site. Working with the program is simple and convenient. Select and add the files that need to be signed, then select the certificate with which you need to sign the documents, XML files and sign the documents. Be careful - choose only one certificate for signing!!! Otherwise, the documents will be signed with exactly as many certificates as you add to the program. Instructions for use are in the program archive. I will give an example below for signing the delivery to Rossreestr.

    After installing the program and launching it, add files to the program that need to be signed. “Actions” tab, “add” button.

    To sign all files at once, you need to select them all - “Shift + right mouse button” or “Shift + down arrow”. Then click “Sign”, in the window that appears, either add a certificate, or leave the one that was selected earlier, or change it to another. Once again I remember that for submission to Rosreestr there should not be more than 1 certificate in this window! Also, set all the settings as shown in the figure:

    Let's sign. After signing, files with the extension “sigO” will be added to your list. This is the file signature. All that remains is to upload the signature files or all the files (at your discretion). Select what you want to upload, in this case three signature files, and click “Upload”. That seems to be all. But like every free cheese there is a small nuance. Rosreestr swears at the file extension “sigO”, so you need to rename the extension from “sigO” to “sig” in Explorer or any file manager.

    The signature of this program has not been verified by the Rosreestr website. The signature verification was carried out by software products that interact with the government services portal of the Federal Service for State Registration, Cadastre and Cartography. All three programs that checked the signature executed by this program gave a positive result. The verification was carried out by the programs indicated here, the GIS “Panorama”, Crypto ARM and the Polygon-Line Plan program. The signature was also verified by the online digital signature authentication service on the website.

    Another program for signing documents and XML files is . You can download it from the official website of the program. The program itself is quite functional and attractive, the cost is not high, only 1200 rubles for 1 workplace. There is tech. support and also extensive assistance. The most complete and up-to-date information can be obtained at. Also read about EDS in the note

    A noble goal ennobles activities in the name of this goal.K. Liebknecht

    I can’t come to a general understanding of the mechanisms for signing xml documents. I would be grateful for your help to figure it out)

    My situation is like this:

    1) there is a certification authority, the issued certificates of which are placed on servers in the windows storage... in personal, trusted, and so on... not the point.

    When logging into the application, the user signs a randomly generated string with the certificate of his choice. On the server, this signature is verified:

    CAPICOM.SignedData _signedData = new CAPICOM.SignedData(); _signedData.Verify(signedData, false, CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE); if (_signedData.Content != data) throw new Exception("Signature content does not match received content"); var _certificate = _signedData.Certificates; // user certificate

    This is how we obtain the user certificate (public key). The important thing is that the signature will be verified only if the corresponding public key of the certificate is on the server in the certificate store. This is what we need, to let in only those whose certificates we ourselves released) It seems clear here.

    2) now we need these same users to sign the xmls with their certificates. My software on the client generates the xmls themselves and signs them with the user-specified certificate:

    Public static void SignXml(XmlDocument xmlDoc, /*RSA*/AsymmetricAlgorithm Key) ( SignedXml signedXml = new SignedXml(xmlDoc); signedXml.SigningKey = Key; Reference reference = new Reference(); reference.Uri = "";//signature entire xml document XmlDsigEnvelopedSignatureTransform(); reference.AddTransform(env); signedXml.AddReference(reference); KeyInfo keyInfo(); keyInfo.AddClause(CryptService.GetKeyInfoClause(Key)); GOST signedXml.KeyInfo = keyInfo; signedXml.ComputeSignature(); XmlElement xmlDigitalSignature = signedXml.GetXml(); xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

    XmlDocument doc = new XmlDocument(); doc.PreserveWhitespace = true; doc.Load(path); SignedXml sx = new SignedXml(doc); XmlNodeList nodeList = doc.GetElementsByTagName("Signature"); sx.LoadXml((XmlElement)nodeList); return sx.CheckSignature();

    The code works, but I have questions with understanding: in this case, you can sign the xml with absolutely any certificate not issued by our CA, and since the information about the public key is stored in the signed xml itself, the signature is verified. This option doesn't suit me. The CheckSignature method has an overload with a parameter of type AsymmetricAlgorithm, which will check the signing certificate for existence in the store, check its validity, expiration date, and so on. This is what I need, but I don’t know in advance which user sent the signed xml.

    Please tell me: how to check an xml signature or how to create it correctly so that only those xmls that are signed only with our certificates (which are installed in the storage) are verified?

    P.s. and what is the general point of keeping both the signature itself and the public key for decrypting the signature in xml? If you remove the line signedXml.KeyInfo = keyInfo; , then xml does not pass signature verification.

    Read more: