Signature process in LibreOffice 6.3

[Steve Martin]

Hello,

my name is Steve Martin and I am an enrolled student at the Ruhr 
University Bochum. I have a question regarding the implementation of the 
signature process in LibreOffice.

I use a self-created X.509 certificate for signing my ODT documents.

As soon as I sign my ODT document, the file "documentsignatures.xml" is 
created in the META-INF folder in the OpenDocument package. Before I 
signed my ODT document, I had decompressed the ODT document and added an 
additional file entry in META-INF/manifest.xml:

<manifest:file-entry manifest:full-path="Thumbnails/meta.xml" 
manifest:media-type="text/xml"/>

Then I saved the manifest.xml file and compressed all the files back 
into a ZIP package. I can now open this file with LibreOffice and sign 
it with my X.509 certificate.

After I signed the document, I decompressed it again and copied the 
meta.xml file into the Thumbnails directory. Thanks to the previously 
added file entry in the manifest.xml file, I can now compress all the 
partial files back into a ZIP archive and open the document with 
LibreOffice as normal, without being shown the message that the file is 
corrupted.

However, I don't understand why do I get now the message that the 
signature is not valid? I decompressed the ODT document with the invalid 
signature and compared the documentsignatures.xml file contained in the 
META-INF folder with the documentsignatures.xml file that was created 
immediately after the signature was created. Both files are exactly the 
same and neither contain the value "Thumbnails/meta.xml" in the URI 
attribute in the <Reference> elements.

Since none of the files that are listed in the documentsignatures.xml 
were manipulated, the signature should be valid? Or is there another 
signature somewhere besides the XML signature about the file structure 
of the ODT document?

Thanks many for your help

Steve