On Mon, Jan 23, 2023 at 03:41:21PM +0100, Joachim Breitner wrote:
> Hi Ben,
>
> gentle reminder about this issue? I’m worried I (and maybe others) are
> going to miss gitlab notifications.
A recent gitlab notice has:
Received: by gitlab.haskell.org (Postfix, from userid 165)
id AF9E627CA9; Mon, 16 Jan 2023 20:50:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gitlab.haskell.org;
s=mail; t=1673920259;
bh=bezCH96kI1N9pklJv6GEpVDADij1+8Q/zwCT65Djz/4=;
h=Date:From:Reply-To:To:Subject:List-Id;
b=L7ikqNV+Hn0OZzM9AH+rLIvP5P9COe8/zuP7bmSsMJ50kFJ2a7gJy4cbxoX83bNqU
oBQV78j6nIFV/SRgbaF9vQciNBzWu1GNACMGaqVMVjTBki93xw/hvMv8JDIhAdAYaV
da96BBtxrTDoDUtFBtYlb5n361TqIDHXHkCqE5Dc=
The DKIM data in DNS is:
$ dig +short +nosplit -t txt mail._domainkey.gitlab.haskell.org
"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiTJ9J8+wWWFRzHjjr5CCbOx33rZaDH2PQsQtTLwOPVZDTSjz8pwUuyQ4s+Xxq6f6UEEAIo/8ZHySJqXG6HN3b6/Gq2SwnE2xLk307gcWzZgyF/9UM5SpcJ46VxYPu2spBQSWhDnRbp849ZouuY/orKT/HMb/9xow25KwWbAyh8wIDAQAB"
Putting it together:
$ echo
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiTJ9J8+wWWFRzHjjr5CCbOx33rZaDH2PQsQtTLwOPVZDTSjz8pwUuyQ4s+Xxq6f6UEEAIo/8ZHySJqXG6HN3b6/Gq2SwnE2xLk307gcWzZgyF/9UM5SpcJ46VxYPu2spBQSWhDnRbp849ZouuY/orKT/HMb/9xow25KwWbAyh8wIDAQAB
|
openssl base64 -A -d |
openssl pkey -pubin -inform DER -out /tmp/pkey.pem
$ openssl base64 -d <<-\EOF > /tmp/sig.dat
L7ikqNV+Hn0OZzM9AH+rLIvP5P9COe8/zuP7bmSsMJ50kFJ2a7gJy4cbxoX83bNq
UoBQV78j6nIFV/SRgbaF9vQciNBzWu1GNACMGaqVMVjTBki93xw/hvMv8JDIhAdA
YaVda96BBtxrTDoDUtFBtYlb5n361TqIDHXHkCqE5Dc=
EOF
$ openssl pkeyutl -pubin -inkey /tmp/pkey.pem \
-encrypt -pkeyopt rsa_padding_mode:none \
-in /tmp/sig.dat -hexdump
0000 - 52 90 e5 01 80 fa 77 53-b3 19 97 16 33 70 1e 29 R.....wS....3p.)
0010 - 7e 7b cf 5c a4 51 b2 eb-7c fa 88 dc ce 92 b2 ac ~{.\.Q..|.......
0020 - 4f 86 d4 f1 32 83 55 0a-0b c0 49 92 a3 4a 54 47 O...2.U...I..JTG
0030 - dc 6b 5d bd 2c 1e 5d 85-cf f4 4f c8 3c c5 3f bd .k].,.]...O.<.?.
0040 - 9d 56 29 a2 b5 dc 94 13-50 c3 28 23 0c a0 64 0b .V).....P.(#..d.
0050 - 0e 99 96 4a 0f b4 36 1a-3a d6 ff 6f 50 00 1a 38 ...J..6.:..oP..8
0060 - 09 34 75 a6 d5 29 da 80-7c c1 bd 77 c4 a3 01 32 .4u..)..|..w...2
0070 - d1 16 b4 8f 6c 3d fd a4-25 8d 53 2b 64 9c d8 ed ....l=..%.S+d...
We see that the RSA public key operation does not produce a valid PKCS#1
padded block, so most likely an outdated key is published in DNS, or the
wrong "selector" ("s=" value, currently "mail") was added to the DKIM
signature header (if the correct key is published under some other
selector).
--
Viktor.
_______________________________________________
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
