...
You may check the integrity of the downloaded certificate in a variety of ways. For example, one you could use openssl after the fact as follows:
$ openssl x509 -sha1 -in incommon.pem -noout -fingerprint
SHA1 Fingerprint=74:27:8F:96:7C:F1:BF:CA:AA:1B:41:AF:B6:33:64:48:A2:15:0E:B4
Once this the certificate file is locally installed, you can use it to verify the signature on the metadata file in conjunction with the refresh process.. For example, you could use the XmlSecTool to verify the signature:
$ xmlsectool.sh --verifySignature --certificate incommon.pem --inFile InCommon-metadata.xml
Expiry Verification
Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with a metadata refresh. In particular, a metadata file should not be accepted if any of the following conditions are true:
...