The purpose of this script is exclusively to read invoices received from the *Sistema di Interscambio*.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
Franco Masotti cdbd41ef3b
3 years ago
.gitignore Minor fixes. 3 years ago
LICENSE Added copyright notices and license. 3 years ago Update 3 years ago
fbla Added assertion library and minor fixes. 3 years ago
fbopt Added installation instructions. 3 years ago
get_fattura_pa Minor fixes. 3 years ago
get_fattura_pa.conf Added a couple of new variables. 3 years ago


The purpose of this script is exclusively to read invoices received from the Sistema di Interscambio.


Table of contents



See all get-fattura-pa releases.


The following terms are used throughout this document and within the source code.

Term Meaning
checksum a file integrity check
signed file the invoice file signed using a PKCS # 7 system
certificate proves that the public key used for the signature is authentic
metadata file a file that contains the checksum of the signed file as well as other information
original file the invoice file without the signature
attachments user certain conditions, the files encoded as base64 binaries in the original file


  • Given a metadata file called document.xml and a signed file called document.xml.p7m, you can verify and extract the original file and attachments with the following command:

    $ ./get_fattura_pa document.xml document.xml.p7m
  • If you are not in possession of the metadata file or there is a problem with it, you may also skip the checksum:

    $ ./get_fattura_pa --ignore-checksum /dev/null document.xml.p7m


The purpose of this script is exclusively to read invoices received from the
*Sistema di Interscambio*

Mandatory arguments to long options are mandatory for short options too.
    -c, --ignore-checksum                   avoid checksum comparision between
                                            the metadata file and the signed
    -e, --ignore-certificate                avoid checking the certificate
                                            used by the signer
    -f, --force-certificates-download       update the certificate list even if
                                            a certificate file is already
    -h, --help                              print this help
    -n, --no-extract-attachments            avoid extracting possible
                                            attachments if the original
                                            file is an XML file
    --print-flags                           print the enabled options. This can also
                                            be used to print the default options
    -q, --quiet                             show errors and hide every other
    -s, --ignore-signature                  avoid checking the cryptographic
                                            signature of the file

Exit status:
 0  if OK,
 1  if an error occurred.

This  is  free  software: you are free to change and redistribute it.  There
is NO WARRANTY, to the extent  permitted by law.
License GPLv3+: GNU GPL version 3 or later <>.
Copyright © 2018 Enio Carboni - Italy    (see
            2019 Franco Masotti (frnmst) <>


You need to install the following packages and the ones listed for fbopt and fbla:

Package Executable Version command Package version
GNU coreutils /bin/sha256sum, /bin/base64 $ ${Executable} --version (GNU coreutils) 8.30
XMLStarlet /bin/xmlstarlet $ xmlstarlet --version 1.6.1 compiled against libxml2 2.9.8, linked with 20909 compiled against libxslt 1.1.32, linked with 10133-GITv1.1.33
GNU Awk /bin/gawk $ gawk --version GNU Awk 4.2.1, API: 2.0 (GNU MPFR 4.0.1, GNU MP 6.1.2)
curl /bin/curl $ curl --version curl 7.63.0 (x86_64-pc-linux-gnu) libcurl/7.63.0 OpenSSL/1.1.1a zlib/1.2.11 libidn2/2.1.0 libpsl/0.20.2 (+libidn2/2.1.0) libssh2/1.8.0 nghttp2/1.35.1 Release-Date: 2018-12-12
OpenSSL /bin/openssl $ openssl version OpenSSL 1.1.1a 20 Nov 2018 or OpenSSL 1.0.2g 1 Mar 2016


Arch Linux based distros

# pacman -S coreutils xmlstarlet gawk curl openssl

Debian based distros

# apt-get install coreutils xmlstarlet gawk curl openssl 


If there is a failure in any point of this pipeline the program stops and returns an error code.

Step number Actions Optional Suggested Depends on step number
1 check script dependencies no - -
2 check input files no - -
3 check signed file integrity given the metadata file (checksum) yes yes -
4 get certificates from the government's website yes yes -
5 check signature and signer's certificate of the signed file yes yes 4
6 extract the original file from the signed file no - -
7 decode possible attachments from the original file yes yes 6


  • There seems to be some issue in step number 5, specifically in the signature verification phase. Using OpenSSL version 1.1.1a 20 Nov 2018 sometimes fails while OpenSSL version 1.0.2g 1 Mar 2016 does not.


Original script

Fattura PA

PKCS # 7

Copyright (c) 2018 Enio Carboni - Italy (see

Copyright (c) 2019 Franco Masotti (frnmst); franco [dot] masotti [at] live [dot] com

get-fattura-pa is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

get-fattura-pa is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with get-fattura-pa. If not, see