injected body trailers

David Woodhouse dwmw2 at infradead.org
Thu Oct 21 14:42:46 PDT 2021 

On Thu, 2021-10-21 at 16:44 -0400, Konstantin Ryabitsev wrote:
> On Thu, Oct 21, 2021 at 01:22:31PM -0700, Kees Cook wrote:
> > Hi!
> > 
> > So, I just saw a DKIM failure, and it was entirely justified. :)
> > 
> > Grabbing thread from lore.kernel.org/all/20211021142516.1843042-1-ardb%40kernel.org/t.mbox.gz
> > Checking for newer revisions on 
> > https://lore.kernel.org/all/
> > 
> > Analyzing 1 messages in the thread
> > Checking attestation on all messages, may take a moment...
> > ---
> >   ✓ [PATCH] ARM: stackprotector: prefer compiler for TLS based per-task protector
> >     ✓ Signed: openpgp/
> > ardb at kernel.org
> > 
> 
> You will notice that the openpgp signature passed. This is because we:
> 
> 1. record the length of the original message when we're creating the signature
>    (see l=2495 in X-Developer-Signature)
> 2. if the initial validation fails and the body is longer than l=2495, we trim
>    the body to that number of bytes
> 3. if the trimmed validation passes, we use that version for the patch body
>    content, since that's clearly what the developer intended
> 

All this was known when DKIM was first invented, and the fact that DKIM
signatures would break with fairly much all mailing lists was also
known, the moment they decided to go ahead with DKIM in its current
state without any solution for it.




> >     ✗ BADSIG: DKIM/kernel.org      
> >     ✓ Signed: DKIM/lists.infradead.org (From: ardb at kernel.org)

Hm. I thought I had configured mailman to *remove* older DKIM
signatures (which are going to be broken). The message you receive
should *only* have the newly-added signature corresponding to the
Sender: of the message. The original one was superseded by the new one
and should have been removed.


> > 
> > This is 
> > https://lore.kernel.org/all/20211021142516.1843042-1-ardb@kernel.org/
> > 
> > and for some reason, the linux-arm-kernel mailing list is injecting a
> > body trailer.
> 
> "For some reason" is really "that's the default for mailman-2". Mailman-2
> belongs to a wholly different era and *can* be configured to be DKIM
> compliant, but rarely is.
> 

That's what mailing lists have always done, because users are stupid
and need to be reminded in *every* single message that this is a
mailing list and this is how they unsubscribe. Really, even *with* that
reminder there are plenty of people who can't work it out.

> > I just downloaded this directly and removed the trailer, and the DKIM
> > passed. This experience has raise a few questions...
> > 
> > 1) Can (should) b4 grow logic to progressively strip lines off the end
> >    of a body until DKIM passes?
> 
> Ah, but then the lists.infradead.org DKIM will fail. Theoretically, we should
> always prioritize the signature that is closest aligned with the From: header,
> but that's not actually that straightforward, as DNS lookup and validation
> rules can get really complex.
> 

Surely the Sender: header should take priority. That one would work.

> > 2) Can the linux-arm-kernel mailing list please stop breaking DKIM?
> >    Who should authorize this change (rmk, Catalin)? And who can make
> >    the change (peterz)?
> 

I run the host but per-list settings are up to the admin of the
individual list. For the lak list, vince at kyllikki.org and 
mouw at nl.linux.org are listed as admins. I don't know if that
corresponds with who actually remembers the list password these days; I
can set a new one and provide it if that's helpful.


> The relevant settings should be a) don't add any subject prefixes, b) don't
> add anything to the body trailers, c) don't rewrite any other headers (to, cc,
> reply-to, etc).
> 
> >    (I realize now that all the mail from linux-arm-kernel has been
> >    getting dropped into my Spam folder -- I normally don't notice since
> >    I'm usually CCed directly or via some other list on things I wanted
> >    to see.)
> > 
> > 3) Are there other lists for which lore is collecting emails where DKIM
> >    is persistently broken, and can we fix those lists too?
> 
> I would also note that lists.infradead.org should not really be adding its own
> DKIM signature to messages it sends out. It doesn't really serve any purpose
> unless the From: header is rewritten (but please don't do that either).

No, it matches the Sender: header, which is the entity that actually
submitted the mail to the system (as opposed to the possibly multiple
entities listed in the From: header, which are merely authors of the
message).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20211021/11c49862/attachment-0001.p7s>

More information about the linux-arm-kernel mailing list