OT: DKIM signatures on email messages from lists.gnupg.org

Alexander Leidinger Alexander at leidinger.net
Wed Jun 14 08:54:41 CEST 2023

Quoting Alessandro Vesely <vesely at tana.it> (from Tue, 13 Jun 2023  
19:56:38 +0200):

> On Tue 13/Jun/2023 13:02:09 +0200 Alexander Leidinger via Gnupg-users wrote:
>> Quoting Alessandro Vesely <vesely at tana.it> (from Tue, 13 Jun 2023  
>> 11:19:02 +0200):
>>> On Tue 13/Jun/2023 08:46:06 +0200 Alexander Leidinger via  
>>> Gnupg-users wrote:
>>>> Quoting Alessandro Vesely via Gnupg-users <gnupg-users at gnupg.org>  
>>>> (from Mon, 12 Jun 2023 18:45:37 +0200):
>>>>>> The From was re-written be the list and as such the header  
>>>>>> check fails. The body check fails as the list adds the following:
>>>>>> ---snip---
>>>>>> _______________________________________________
>>>>>> Gnupg-users mailing list
>>>>>> Gnupg-users at gnupg.org
>>>>>> https://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>>> ---snip---
>>>>> The message verifies after removing the footer.  It can be done  
>>>>> routinely, on some kind of signatures.
>>>> DKIM doesn't specify an automatic removal of a signature. So I  
>>>> postulate there is no DKIM related tool which does this (only  
>>>> home-grown solutions which need to be specially tailored to the  
>>>> sender as you don't know in advance/automatically if a signature  
>>>> has to be stripped or not, and you can not rely on the way the  
>>>> signature is added, as even this list does not use the age old  
>>>> de-facto standard (which was ignored by big corporations like  
>>>> they did with some other de-facto standards) of "-- " on it's own  
>>>> line as a signature separator).
>>> http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans for one.
>>> You may call it home grown, but it's not tailored to a specific  
>>> sender.  Of course it doesn't work on /every/ signature.  Yours,  
>>> for instance, didn't verify.  Gmail's signatures, by contrast,  
>>> verify across most mailing lists.
>> "Yours ... didn't verify": via list or direct?
> I meant via list.  Direct ones verify well.
> BTW your GPG signature doesn't verify.

My MUA tries to alidate the GPG signature against the From-address  
(which is @gnupg.org) and as such fails. I haven't tried to validate  
by hand. An email which I had send to another mailinglist shows up  
with a valid GPG signature in my MUA.

>> Any idea if it was because this lists signature was not stripped  
>> (even then, it would need to rewrite the from), or because my  
>> signature was stripped (which it shouldn't)?
> In the message I'm replying to, it was stripped (why?)  In the one  
> before that it didn't verify, probably because of the Reply-To:.  (I  
> can probably fix that, but not today.)

My mails which I get from the list into my inbox all have my  
signature. As such the original message shall have it. Your  
Thunderbird will strip my signature in the reply-window, as it knows  
"^-- $" (regex notation) as a signature separator and IIRC the default  
option in Thunderbird is to strip signatures on reply.

>>>>> See also this:
>>>>> https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail
>>>> You can not expect all subscribers of the list to change their  
>>>> DKIM settings to a more relaxed way or other sending side related  
>>>> stuff. This may not be in the influence of the person (try to get  
>>>> google to change their dkim settings for gmail). As such it is up  
>>>> to the list owner to be a nice netticen. If the list owner(s)  
>>>> insists on message-munging, that's fine, but in this case the  
>>>> list owner(s) has to remove DKIM signatures if they want to have  
>>>> the message delivered correctly for the DKIM-policy=discard case.  
>>>> Any other action which needs involvement of the receiver or the  
>>>> sender will not work in the generic case (and I consider this  
>>>> list to fall into the generic case).
>>> "mailing_list" is one of the provided policy override cases for  
>>> DMARC.  RFC 7489 describes it like so:
>> Appendix C, DMARC XML Schema -> so it's in the report which is  
>> send. Did I overlook any other place in this RFC which describes  
>> that mailing lists can or should or have to be exempt from DKIM  
>> processing? If not, what do you expect the usual behavior of DKIM  
>> validation software is? Will it have an heuristic for mailing list  
>> detection? Also see "A.3 Sender Header Field" in the RFC, which  
>> explicitly calls it a "poor candiate for inclusion in the DMARC  
>> evaluation algorithm".
> There is no deterministic way to determine if a message is from a

I agree.

> mailing list.  Signatures, either DKIM or ARC, ease that task.  In  
> this respect, I'd sign with d=lists.gnupg.org, not d=gnupg.org.

That would be sensible, if DKIM signing is something the list-owners  
want to do.


http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230614/d227fb1a/attachment-0001.sig>

More information about the Gnupg-users mailing list