injected body trailers

Konstantin Ryabitsev konstantin at linuxfoundation.org
Thu Oct 21 13:44:59 PDT 2021 

On Thu, Oct 21, 2021 at 01:22:31PM -0700, Kees Cook wrote:
> Hi!
> 
> So, I just saw a DKIM failure, and it was entirely justified. :)
> 
> Grabbing thread from lore.kernel.org/all/20211021142516.1843042-1-ardb%40kernel.org/t.mbox.gz
> Checking for newer revisions on https://lore.kernel.org/all/
> Analyzing 1 messages in the thread
> Checking attestation on all messages, may take a moment...
> ---
>   ✓ [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector
>     ✓ Signed: openpgp/ardb at kernel.org

You will notice that the openpgp signature passed. This is because we:

1. record the length of the original message when we're creating the signature
   (see l=2495 in X-Developer-Signature)
2. if the initial validation fails and the body is longer than l=2495, we trim
   the body to that number of bytes
3. if the trimmed validation passes, we use that version for the patch body
   content, since that's clearly what the developer intended

>     ✗ BADSIG: DKIM/kernel.org      
>     ✓ Signed: DKIM/lists.infradead.org (From: ardb at kernel.org)
> ---
> 
> This is https://lore.kernel.org/all/20211021142516.1843042-1-ardb@kernel.org/
> and for some reason, the linux-arm-kernel mailing list is injecting a
> body trailer.

"For some reason" is really "that's the default for mailman-2". Mailman-2
belongs to a wholly different era and *can* be configured to be DKIM
compliant, but rarely is.

> I just downloaded this directly and removed the trailer, and the DKIM
> passed. This experience has raise a few questions...
> 
> 1) Can (should) b4 grow logic to progressively strip lines off the end
>    of a body until DKIM passes?

Ah, but then the lists.infradead.org DKIM will fail. Theoretically, we should
always prioritize the signature that is closest aligned with the From: header,
but that's not actually that straightforward, as DNS lookup and validation
rules can get really complex.

> 2) Can the linux-arm-kernel mailing list please stop breaking DKIM?
>    Who should authorize this change (rmk, Catalin)? And who can make
>    the change (peterz)?

The relevant settings should be a) don't add any subject prefixes, b) don't
add anything to the body trailers, c) don't rewrite any other headers (to, cc,
reply-to, etc).

>    (I realize now that all the mail from linux-arm-kernel has been
>    getting dropped into my Spam folder -- I normally don't notice since
>    I'm usually CCed directly or via some other list on things I wanted
>    to see.)
> 
> 3) Are there other lists for which lore is collecting emails where DKIM
>    is persistently broken, and can we fix those lists too?

I would also note that lists.infradead.org should not really be adding its own
DKIM signature to messages it sends out. It doesn't really serve any purpose
unless the From: header is rewritten (but please don't do that either).

-K

More information about the linux-arm-kernel mailing list