SignedXml.CheckSignature returns false when the root element has namespace declarations

[ajf...@blueyonder.co.uk]

Hi,

I am using SignedXml with RSACryptoServiceProvider to sign some XML.
the verification seems to work OK if there is no namespace declaration
on the root element of the XML but if there is one it always returns
false.

here's a complete example:

XmlDocument doc = new XmlDocument();
doc.LoadXml("<foo xmlns:foo=\"foo\" />");
SignedXml sx = new SignedXml(doc);
RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
sx.SigningKey = csp;
Reference refe = new Reference("");
sx.AddReference(refe);
sx.ComputeSignature();
XmlElement signature = sx.GetXml();
SignedXml sx2 = new SignedXml(doc);
sx.LoadXml(signature);
bool result = sx.CheckSignature(csp);

note that it's signing and verifying exactly the same bit of XML with
exactly the same CryptoServiceProvider. The example as shown always
returns false but if you replace the second line with:

doc.LoadXml("<foo />");

The CheckSignature method returns true.

Is there some subtlety with the way namespaces work in XML signatures
or is this a bug in the implementation?

note that the namespace isn't even referenced in the XML content so I
wouldn't expect it to have any effect. If I add a simlar namespace
declaration to a sub-node it doesn't affect the signature at all.