Re: [kernel.org users] b4: DKIM verification available

Re: [kernel.org users] b4: DKIM verification available

[Konstantin Ryabitsev]

On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote:
> On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote:
> > I'm gearing up for b4 0.6.0, which adds a handful of new features around 
> > attestation. Specifically, it enables DKIM verification if the required 
> > library is available. It used to be a futile exercise due to almost 
> > every mailing list breaking it in terrible ways, but vger now properly 
> > preserves headers so that DKIM signatures verify nearly all the time.  
> 
> Nice! This works for me.
> 
> I wanted to look at X-Patch-Sig verification too, but realized I couldn't
> actually search lore for an arbitrary header to find an example. And so
> I went to the lore git, and from a worktree, I found no one using the
> new b4 GPG attestation yet ("git log -S X-Patch-Sig").

Well, it's not in any released version yet, so it's not surprising. :) 
You can test it on some of my bogus series posts:

b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org

The 0.6 release will only support mode=pgp in addition to plain DKIM.

> (I was hoping to have my own series up to use as an example, but I
> mucked up the order of operations. Next one should include it, 
> though!)

Basically, you just run "b4 attest *.patch" before running "git 
send-email". You can actually do this via adding the following to 
.git/hooks/sendemail-validate:

#!/bin/sh
/path/to/your/b4/b4.sh attest $1

I'll add documentation for this before 0.6 is out.

Thanks for willing to be my test subject. :)

-K

Re: [kernel.org users] b4: DKIM verification available

[Kees Cook]

On Sun, Nov 22, 2020 at 12:38:59PM -0500, Konstantin Ryabitsev wrote:
> On Sat, Nov 21, 2020 at 04:28:08PM -0800, Kees Cook wrote:
> > On Fri, Nov 20, 2020 at 05:15:30PM -0500, Konstantin Ryabitsev wrote:
> > > I'm gearing up for b4 0.6.0, which adds a handful of new features around 
> > > attestation. Specifically, it enables DKIM verification if the required 
> > > library is available. It used to be a futile exercise due to almost 
> > > every mailing list breaking it in terrible ways, but vger now properly 
> > > preserves headers so that DKIM signatures verify nearly all the time.  
> > 
> > Nice! This works for me.
> > 
> > I wanted to look at X-Patch-Sig verification too, but realized I couldn't
> > actually search lore for an arbitrary header to find an example. And so
> > I went to the lore git, and from a worktree, I found no one using the
> > new b4 GPG attestation yet ("git log -S X-Patch-Sig").
> 
> Well, it's not in any released version yet, so it's not surprising. :) 
> You can test it on some of my bogus series posts:
> 
> b4 am -o/tmp 20201120212731.1645654-1-konstantin@linuxfoundation.org
> 
> The 0.6 release will only support mode=pgp in addition to plain DKIM.

Excellent!

> 
> > (I was hoping to have my own series up to use as an example, but I
> > mucked up the order of operations. Next one should include it, 
> > though!)
> 
> Basically, you just run "b4 attest *.patch" before running "git 
> send-email". You can actually do this via adding the following to 

Yeah, that's what I discovered (I hadn't realized it had switch to using
injected headers).

> .git/hooks/sendemail-validate:
> 
> #!/bin/sh
> /path/to/your/b4/b4.sh attest $1
> 
> I'll add documentation for this before 0.6 is out.

Ah, nice; that's cleaner than what I was doing.

> Thanks for willing to be my test subject. :)

Thanks for writing all this! :)

-- 
Kees Cook                                            @outflux.net

Re: [kernel.org users] b4: DKIM verification available

[Konstantin Ryabitsev]

On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote:
> Konstantin: This seems like a few bad behaviors here.. Shouldn't the
> first one report the DKIM failure??

Yeah, but I try not to put in features that everyone would immediately 
turn off due to high false-positive rates. :) We treat a successful DKIM 
verification as a nice surprise and quietly move on otherwise.

> It also feels like b4 should try other list archives if the DKIM is
> bad. eg inspect the to/cc headers and pick a vger list if available.

There is a better solution that should become available in the future 
releases of public-inbox:

- it'll allow us to combine threads from multiple lists
- when multiple sources match, we'll be able to assign a "weighting" 
  metric that should let us pick vger lists over mailman lists when the 
  same message exists on both

-K

Re: [kernel.org users] b4: DKIM verification available

[Jason Gunthorpe]

On Mon, Nov 23, 2020 at 01:17:46PM -0500, Konstantin Ryabitsev wrote:
> On Mon, Nov 23, 2020 at 12:42:20PM -0400, Jason Gunthorpe wrote:
> > Konstantin: This seems like a few bad behaviors here.. Shouldn't the
> > first one report the DKIM failure??
> 
> Yeah, but I try not to put in features that everyone would immediately 
> turn off due to high false-positive rates. :)

Do you think it is that bad? According to DMARC data vger lists are
nearly 100% these days, b4 could sense vger and turn it on properly.

It would be interesting to see some stats on some of the vger lists
from lore to get a sense how many senders are misconfigured.

If you are going in this direction having vger reject messages that
fail DKIM signature checking just like it rejects HTML messages would
instantly make it usable. :)

> verification as a nice surprise and quietly move on otherwise.

Well in this way it will have no impact on any workflow or any change
in the git commits..

Jason