From 770e31056d1b5c7580769c5aa916580827c47041 Mon Sep 17 00:00:00 2001
From: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Date: Thu, 10 Dec 2020 17:09:55 -0500
Subject: DKIM: remove extra public-inbox headers

The reason alsa-devel DKIM verification is failing is because the
List-Archive header is included in the hashed value. This header is
added by public-inbox to all messages retrieved via the API, so try
ejecting those headers and retrying verification.

Link: https://public-inbox.org/meta/20201210202145.7agtcmrtl5jec42d@chatter.i7.local
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
---
 b4/__init__.py | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/b4/__init__.py b/b4/__init__.py
index 795ebb6..b8d3191 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -1691,6 +1691,7 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
         # self.native_verify()
         # return
 
+        ejected = set()
         while True:
             dks = self.msg.get('dkim-signature')
             if not dks:
@@ -1707,6 +1708,30 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
             else:
                 res = dkim.verify(self.msg.as_bytes())
             if not res:
+                # is list-archive or archived-at part of h=?
+                hline = ddata.get('h')
+                if hline:
+                    hsigned = set(hline.lower().split(':'))
+                    if 'list-archive' in hsigned or 'archived-at' in hsigned:
+                        # Public-inbox inserts additional List-Archive and Archived-At headers,
+                        # which breaks DKIM signatures if these headers are included in the hash.
+                        # Eject the ones created by public-inbox and try again.
+                        # XXX: This may no longer be necessary at some point if public-inbox takes care
+                        #      of this scenario automatically:
+                        #      https://public-inbox.org/meta/20201210202145.7agtcmrtl5jec42d@chatter.i7.local
+                        logger.debug('Ejecting extra List-Archive headers and retrying')
+                        changed = False
+                        for header in reversed(self.msg._headers):  # noqa
+                            hl = header[0].lower()
+                            if hl in ('list-archive', 'archived-at') and hl not in ejected:
+                                self.msg._headers.remove(header)  # noqa
+                                ejected.add(hl)
+                                changed = True
+                                break
+                        if changed:
+                            # go for another round
+                            continue
+
                 logger.debug('DKIM signature did NOT verify')
                 logger.debug('Retrying with the next DKIM-Signature header, if any')
                 at = 0
-- 
cgit v1.2.3