Created attachment 4440 [details]
DKIM signing test keys (private keys), encrypted, gpg ascii armoured

The attached tar contains a couple of DKIM signing private keys (pem),
which could be used to generate signatures in test mail samples.
The public-only counterpart of these keys will be attached separately.

As these private keys should probably not be publically readable,
I wrapped them in a tar, gzipped, and encrypted with gpg, producing
ascii armour. It is encrypted with the two keys I could find
(and with mine):

gpg: ELG-E/AES256 encrypted for:
  "58B6BDD8 Mark Martinec <Mark.Martinec@ijs.si>"
gpg: ELG-E/AES256 encrypted for:
  "0A6B05C3 Daryl C. W. O'Shea <spamassassin@dostech.ca>"
gpg: ELG-E/AES256 encrypted for:
  "91363797 Justin Mason Signing Key (Code Signing Only) <signingkey@jmason.org>"

I tried encrypting it also for key 5244EC45 (updates.spamassassin.org Signing Key, <release@spamassassin.org>), but gpg complains that the key is unusable for
this purpose. Didn't investigate.

If somebody else wants a copy, please let me know.
I just don't want it lying around in the bugzilla unprotected.

The tar contains files:

-rw-------  0 root   wheel     400 Apr 24 19:32 sa-test-0384.pem
-rw-------  0 root   wheel     493 Apr 24 19:32 sa-test-0512.pem
-rw-------  0 root   wheel     591 Apr 24 19:32 sa-test-0640.pem
-rw-------  0 root   wheel     692 Apr 24 19:33 sa-test-0768.pem
-rw-------  0 root   wheel     887 Apr 24 19:33 sa-test-1024.pem
-rw-------  0 root   wheel    1086 Apr 24 19:33 sa-test-1280.pem
-rw-------  0 root   wheel    1277 Apr 24 19:33 sa-test-1536.pem
-rw-------  0 root   wheel    1679 Apr 24 19:34 sa-test-2048.pem
-rw-------  0 root   wheel    2459 Apr 24 19:35 sa-test-3072.pem
-rw-------  0 root   wheel    3243 Apr 24 19:35 sa-test-4096.pem
-rw-------  0 root   wheel     887 Apr 24 20:10 sa-test-revoked.pem
-rw-r--r--  0 root   wheel    3898 Apr 24 20:57 db.ijs-dkim-testkeys

(the numbers are key size in bits)

The last one db.ijs-dkim-testkeys is actually meant to be public viewable,
and I'll attach it separately.

Created attachment 4441 [details]
a BIND zone file with public DKIM keys; their private part is in the first attachment

The attached file is in a syntax directly usable as a BIND zone file.

It can be either $INCLUDE-d from another zone file
and at the same time given its origin, e.g.:

$INCLUDE db.ijs-dkim-testkeys sa-test.spamassassin.org.

or can be used as a standalone zone file, but in this case
it needs an $ORIGIN clause at its beginning, e.g.:

$ORIGIN sa-test.spamassassin.org.


No rush, but it would be nice to have it published under some
domain which will be usable when t/dkim.t is being run by
people installing SpamAssassin.

It may but need not be a 'sa-test.spamassassin.org' zone,
I just used it as an example DNS zone name.

> No rush, but it would be nice to have it published under some
> domain which will be usable when t/dkim.t is being run by
> people installing SpamAssassin.
> 
> It may but need not be a 'sa-test.spamassassin.org' zone,
> I just used it as an example DNS zone name.

applied -- under that name. why not ;)

Sorry for a long delay. Here is my first attempt at dkim.t .


Bug 6100: add my first draft rewrite attempt at a Plugin::DKIM
tests, based on public test keys as published under domain
sa-test.spamassassin.org.  The new test program is t/dkim2.t
(the t/dkim.t is left disabled and untouched), along with
a set of test mail messages in a new directory t/data/dkim.
More test messages should be added eventually.
Adding         t/data/dkim
Adding         t/data/dkim/test-fail-01.msg
Adding         t/data/dkim/test-fail-02.msg
Adding         t/data/dkim/test-fail-03.msg
Adding         t/data/dkim/test-fail-04.msg
Adding         t/data/dkim/test-fail-05.msg
Adding         t/data/dkim/test-fail-06.msg
Adding         t/data/dkim/test-pass-01.msg
Adding         t/data/dkim/test-pass-02.msg
Adding         t/data/dkim/test-pass-03.msg
Adding         t/data/dkim/test-pass-04.msg
Adding         t/data/dkim/test-pass-05.msg
Adding         t/data/dkim/test-pass-06.msg
Adding         t/data/dkim/test-pass-07.msg
Adding         t/data/dkim/test-pass-08.msg
Adding         t/dkim2.t
Transmitting file data ...............
Committed revision 782752.

Thanks Justin for publishing the DNS test zone. Keys seem alright,
except for the last one, the revoked key t0000, which I have
edited and broke at the last moment (before posting attachments),
losing a semicolon before a 'p' tag:

wrong:
t0000._domainkey        3600 TXT ("v=DKIM1; n="revoked key" p=")

right:
t0000._domainkey        3600 TXT ("v=DKIM1; n=revoked key; p=")

No rush, but at some opportunity I'd appreciate a fix (along with
a bump of the SOA sequence number.

One more thing regarding the sa-test.spamassassin.org domain.
It seems it is not a proper zone, but just a bunch of RR entered
into the spamassassin.org zone. Which is perfectly alright, except
for one detail. Clients implementing ADSP are supposed to check
for existence of a domain in the absence of an _adsp._domainkey RR.
The problem is that a domain sa-test.spamassassin.org does not have
*any* record (not a SOA, NS, A, MX, TXT), which yields a NXDOMAIN
on a DNS query. I suggest we give it at least one RR, perhaps a
dummy A:

sa-test.spamassassin.org.  A  127.0.0.1

(or just "@ A 127.0.0.1" if $ORIGIN is already at spamassassin.org)

now done.  how's it look?

btw if you like I can set up your account on the zone; you have the privs to be given one.

> now done.  how's it look?

Thanks! The revoked key is alright now.

I still see a NXDOMAIN on a query for any RR in sa-test.spamassassin.org,
but that's alright, it's a cosmetic detail, not to bother for now.

> btw if you like I can set up your account on the zone;
> you have the privs to be given one.

I wouldn't turn down the offer, thanks. It may come handy
in case of some emergency or some trivial fix, although
I don't expect to use it often.

> Added 13 new test messages to t/data/dkim/
> Committed revision 786103.

Found another glitch in published public keys, so that currently the
DKIM validation of test-pass-11.msg fails. The t1024c RR entry in DNS
should be:

t1024c._domainkey       3600 TXT (
  "p= " " MIG" "fMA0GCSqGSI" "b3DQEBAQUAA4GNADCBi"
  "QKBgQC1TyXrYgvAK/TExmQrDNDCltfH"
  "h5JSf9+yDKD6sGuJVSUv+fAg/BWnAtydBwGoYMvibBfqX"
  "Bfi6B/AwuxBJQeYUaDA" "S" "09" "kH4" "uQYkKI9yhdKgeo2JU"
  "0StcZ7IVK9JpQFqzhJs/UkMvmFebSaDHr5Ttco/CX"
  "GWD7M0OTY5jkInh/oQIDA" "QAB" ";v= " " DKIM1 "
)

...just as it stands in my first attachment.

As it is currently, it is missing the last three strings:
  "QAB" ";v= " " DKIM1 "
at its end, or at least a DNS query does not return it,
the response is truncated after 'h/oQIDA"':
  $ host -t txt t1024c._domainkey.sa-test.spamassassin.org

I tried publishing the same key under our zone, and the response
from our DNS is ok, so my guess is that it's just a typo in a
zone file, not a DNS server problem or some firewall problem.

> Found another glitch in published public keys, so that currently the
> DKIM validation of test-pass-11.msg fails. The t1024c RR entry in DNS
> should be: [...]
> As it is currently, it is missing the last three strings:
>   "QAB" ";v= " " DKIM1 "
> at its end, or at least a DNS query does not return it,
> the response is truncated after 'h/oQIDA"':
>   $ host -t txt t1024c._domainkey.sa-test.spamassassin.org

On examining closer, the zone file is correct, and one of the
spamassassin.org NS servers serves it correctly, but the other three
do not, and crop the result:

$ host -t ns spamassassin.org
spamassassin.org name server ns.hyperreal.org.
spamassassin.org name server a.auth-ns.sonic.net.
spamassassin.org name server b.auth-ns.sonic.net.
spamassassin.org name server c.auth-ns.sonic.net.


Good:

$ host -t txt t1024c._domainkey.sa-test.spamassassin.org ns.hyperreal.org

t1024c._domainkey.sa-test.spamassassin.org descriptive text "p= " " MIG" "fMA0GCSqGSI" "b3DQEBAQUAA4GNADCBi" "QKBgQC1TyXrYgvAK/TExmQrDNDCltfH" "h5JSf9+yDKD6sGuJVSUv+fAg/BWnAtydBwGoYMvibBfqX" "Bfi6B/AwuxBJQeYUaDA" "S" "09" "kH4" "uQYkKI9yhdKgeo2JU" "0StcZ7IVK9JpQFqzhJs/UkMvmFebSaDHr5Ttco/CX" "GWD7M0OTY5jkInh/oQIDA" "QAB" "\;v= " " DKIM1 "


Bad (cropped):

$ host -t txt t1024c._domainkey.sa-test.spamassassin.org a.auth-ns.sonic.net

t1024c._domainkey.sa-test.spamassassin.org descriptive text "p= " " MIG" "fMA0GCSqGSI" "b3DQEBAQUAA4GNADCBi" "QKBgQC1TyXrYgvAK/TExmQrDNDCltfH" "h5JSf9+yDKD6sGuJVSUv+fAg/BWnAtydBwGoYMvibBfqX" "Bfi6B/AwuxBJQeYUaDA" "S" "09" "kH4" "uQYkKI9yhdKgeo2JU" "0StcZ7IVK9JpQFqzhJs/UkMvmFebSaDHr5Ttco/CX" "GWD7M0OTY5jkInh/oQIDA"

(and the same for b.auth-ns.sonic.net and c.auth-ns.sonic.net)

> On examining closer, the zone file is correct, and one of the
> spamassassin.org NS servers serves it correctly, but the other three
> do not, and crop the result:

Perfect, now fixed.
Thanks to a quick response by guys at sonic.net!

The main goal of this PR was achieved, so I'll close it.

Some improvements are still possible, e.g. speeding up the
test tenfold by not invoking the complete spamassassin for
each sample message, but keeping a persistent SA object
and reusing it for each test. And adding some further
tests exercising canonicalization, EDNS and ADSP, but
these are lower on priority.

  Speed up the t/dkim2.t by 40% by using a persistent SA object and
  avoid starting a command line spamassassin for each test message.
  Do tests in sorted order of test messages instead of in the
  seemingly random order of files as read from a directory.
  Print out a name of each test message.
Sending        t/dkim2.t
Committed revision 791499.

reopening this bug just to track it as we need to get the test passing (or at least skipping) for 3.3.0 release.

still failing for me:

: 113...; prove -v t/dkim2.t 
t/dkim2....1..108
# Running under perl version 5.008008 for linux
# Current time local: Mon Jul  6 16:42:22 2009
# Current time GMT:   Mon Jul  6 16:42:22 2009
# Using Test.pm version 1.25
ok 1
        Testing sample data/dkim/test-pass-01.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 2
# Failed test 2 in t/SATest.pm at line 707
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 3
# Failed test 3 in t/SATest.pm at line 707 fail #2
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 4
# Failed test 4 in t/SATest.pm at line 707 fail #3
Output can be examined in: 
not ok 5
# Failed test 5 in t/dkim2.t at line 112
        Testing sample data/dkim/test-pass-02.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 6
# Failed test 6 in t/SATest.pm at line 707 fail #4
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 7
# Failed test 7 in t/SATest.pm at line 707 fail #5
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 8
# Failed test 8 in t/SATest.pm at line 707 fail #6
Output can be examined in: 
not ok 9
# Failed test 9 in t/dkim2.t at line 112 fail #2
        Testing sample data/dkim/test-pass-03.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 10
# Failed test 10 in t/SATest.pm at line 707 fail #7
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 11
# Failed test 11 in t/SATest.pm at line 707 fail #8
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 12
# Failed test 12 in t/SATest.pm at line 707 fail #9
Output can be examined in: 
not ok 13
# Failed test 13 in t/dkim2.t at line 112 fail #3
        Testing sample data/dkim/test-pass-04.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 14
# Failed test 14 in t/SATest.pm at line 707 fail #10
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 15
# Failed test 15 in t/SATest.pm at line 707 fail #11
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 16
# Failed test 16 in t/SATest.pm at line 707 fail #12
Output can be examined in: 
not ok 17
# Failed test 17 in t/dkim2.t at line 112 fail #4
        Testing sample data/dkim/test-pass-05.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 18
# Failed test 18 in t/SATest.pm at line 707 fail #13
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 19
# Failed test 19 in t/SATest.pm at line 707 fail #14
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 20
# Failed test 20 in t/SATest.pm at line 707 fail #15
Output can be examined in: 
not ok 21
# Failed test 21 in t/dkim2.t at line 112 fail #5
        Testing sample data/dkim/test-pass-06.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 22
# Failed test 22 in t/SATest.pm at line 707 fail #16
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 23
# Failed test 23 in t/SATest.pm at line 707 fail #17
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 24
# Failed test 24 in t/SATest.pm at line 707 fail #18
Output can be examined in: 
not ok 25
# Failed test 25 in t/dkim2.t at line 112 fail #6
        Testing sample data/dkim/test-pass-07.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 26
# Failed test 26 in t/SATest.pm at line 707 fail #19
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 27
# Failed test 27 in t/SATest.pm at line 707 fail #20
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 28
# Failed test 28 in t/SATest.pm at line 707 fail #21
Output can be examined in: 
not ok 29
# Failed test 29 in t/dkim2.t at line 112 fail #7
        Testing sample data/dkim/test-pass-08.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 30
# Failed test 30 in t/SATest.pm at line 707 fail #22
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 31
# Failed test 31 in t/SATest.pm at line 707 fail #23
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 32
# Failed test 32 in t/SATest.pm at line 707 fail #24
Output can be examined in: 
not ok 33
# Failed test 33 in t/dkim2.t at line 112 fail #8
        Testing sample data/dkim/test-pass-09.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 34
# Failed test 34 in t/SATest.pm at line 707 fail #25
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 35
# Failed test 35 in t/SATest.pm at line 707 fail #26
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 36
# Failed test 36 in t/SATest.pm at line 707 fail #27
Output can be examined in: 
not ok 37
# Failed test 37 in t/dkim2.t at line 112 fail #9
        Testing sample data/dkim/test-pass-10.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 38
# Failed test 38 in t/SATest.pm at line 707 fail #28
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 39
# Failed test 39 in t/SATest.pm at line 707 fail #29
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 40
# Failed test 40 in t/SATest.pm at line 707 fail #30
Output can be examined in: 
not ok 41
# Failed test 41 in t/dkim2.t at line 112 fail #10
        Testing sample data/dkim/test-pass-11.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 42
# Failed test 42 in t/SATest.pm at line 707 fail #31
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 43
# Failed test 43 in t/SATest.pm at line 707 fail #32
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 44
# Failed test 44 in t/SATest.pm at line 707 fail #33
Output can be examined in: 
not ok 45
# Failed test 45 in t/dkim2.t at line 112 fail #11
        Testing sample data/dkim/test-pass-12.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 46
# Failed test 46 in t/SATest.pm at line 707 fail #34
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 47
# Failed test 47 in t/SATest.pm at line 707 fail #35
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 48
# Failed test 48 in t/SATest.pm at line 707 fail #36
Output can be examined in: 
not ok 49
# Failed test 49 in t/dkim2.t at line 112 fail #12
        Testing sample data/dkim/test-pass-13.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 50
# Failed test 50 in t/SATest.pm at line 707 fail #37
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 51
# Failed test 51 in t/SATest.pm at line 707 fail #38
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 52
# Failed test 52 in t/SATest.pm at line 707 fail #39
Output can be examined in: 
not ok 53
# Failed test 53 in t/dkim2.t at line 112 fail #13
        Testing sample data/dkim/test-pass-14.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 54
# Failed test 54 in t/SATest.pm at line 707 fail #40
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 55
# Failed test 55 in t/SATest.pm at line 707 fail #41
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 56
# Failed test 56 in t/SATest.pm at line 707 fail #42
Output can be examined in: 
not ok 57
# Failed test 57 in t/dkim2.t at line 112 fail #14
        Testing sample data/dkim/test-pass-15.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 58
# Failed test 58 in t/SATest.pm at line 707 fail #43
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 59
# Failed test 59 in t/SATest.pm at line 707 fail #44
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 60
# Failed test 60 in t/SATest.pm at line 707 fail #45
Output can be examined in: 
not ok 61
# Failed test 61 in t/dkim2.t at line 112 fail #15
        Testing sample data/dkim/test-pass-16.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 62
# Failed test 62 in t/SATest.pm at line 707 fail #46
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 63
# Failed test 63 in t/SATest.pm at line 707 fail #47
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 64
# Failed test 64 in t/SATest.pm at line 707 fail #48
Output can be examined in: 
not ok 65
# Failed test 65 in t/dkim2.t at line 112 fail #16
        Testing sample data/dkim/test-pass-17.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 66
# Failed test 66 in t/SATest.pm at line 707 fail #49
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 67
# Failed test 67 in t/SATest.pm at line 707 fail #50
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 68
# Failed test 68 in t/SATest.pm at line 707 fail #51
Output can be examined in: 
not ok 69
# Failed test 69 in t/dkim2.t at line 112 fail #17
        Testing sample data/dkim/test-pass-18.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
not ok 70
# Failed test 70 in t/SATest.pm at line 707 fail #52
        Checking DKIM_VALID
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
not ok 71
# Failed test 71 in t/SATest.pm at line 707 fail #53
        Checking DKIM_VALID_AU
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
not ok 72
# Failed test 72 in t/SATest.pm at line 707 fail #54
Output can be examined in: 
not ok 73
# Failed test 73 in t/dkim2.t at line 112 fail #18
        Testing sample data/dkim/test-pass-19.msg
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 112.
# Failed test 74 in t/SATest.pm at line 707 fail #55
        Not found: DKIM_VALID =  DKIM_VALID  at t/dkim2.t line 112.
# Failed test 75 in t/SATest.pm at line 707 fail #56
        Not found: DKIM_VALID_AU =  DKIM_VALID_AU  at t/dkim2.t line 112.
# Failed test 76 in t/SATest.pm at line 707 fail #57
Output can be examined in: 
# Failed test 77 in t/dkim2.t at line 112 fail #19
        Checking DKIM_SIGNED
not ok 74
        Checking DKIM_VALID
not ok 75
        Checking DKIM_VALID_AU
not ok 76
not ok 77
        Testing sample data/dkim/test-fail-01.msg
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 125.
ok 78
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 125.
ok 79
ok 80
        Testing sample data/dkim/test-fail-02.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 81
# Failed test 81 in t/SATest.pm at line 707 fail #58
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 82
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 83
Output can be examined in: 
not ok 84
# Failed test 84 in t/dkim2.t at line 148
        Testing sample data/dkim/test-fail-03.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 85
# Failed test 85 in t/SATest.pm at line 707 fail #59
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 86
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 87
Output can be examined in: 
not ok 88
# Failed test 88 in t/dkim2.t at line 148 fail #2
        Testing sample data/dkim/test-fail-04.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 89
# Failed test 89 in t/SATest.pm at line 707 fail #60
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 90
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 91
Output can be examined in: 
not ok 92
# Failed test 92 in t/dkim2.t at line 148 fail #3
        Testing sample data/dkim/test-fail-05.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 93
# Failed test 93 in t/SATest.pm at line 707 fail #61
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 94
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 95
Output can be examined in: 
not ok 96
# Failed test 96 in t/dkim2.t at line 148 fail #4
        Testing sample data/dkim/test-fail-06.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 97
# Failed test 97 in t/SATest.pm at line 707 fail #62
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 98
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 99
Output can be examined in: 
not ok 100
# Failed test 100 in t/dkim2.t at line 148 fail #5
        Testing sample data/dkim/test-fail-07.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 101
# Failed test 101 in t/SATest.pm at line 707 fail #63
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 102
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 103
Output can be examined in: 
not ok 104
# Failed test 104 in t/dkim2.t at line 148 fail #6
        Testing sample data/dkim/test-fail-08.msg
        Checking DKIM_SIGNED
        Not found: DKIM_SIGNED =  DKIM_SIGNED  at t/dkim2.t line 148.
not ok 105
# Failed test 105 in t/SATest.pm at line 707 fail #64
        Checking for anti-pattern DKIM_VALID at t/dkim2.t line 148.
ok 106
        Checking for anti-pattern DKIM_VALID_AU at t/dkim2.t line 148.
ok 107
Output can be examined in: 
not ok 108
# Failed test 108 in t/dkim2.t at line 148 fail #7
FAILED tests 2-77, 81, 84-85, 88-89, 92-93, 96-97, 100-101, 104-105, 108
        Failed 90/108 tests, 16.67% okay
Failed Test Stat Wstat Total Fail  Failed  List of Failed
-------------------------------------------------------------------------------
t/dkim2.t                108   90  83.33%  2-77 81 84-85 88-89 92-93 96-97 100-
                                           101 104-105 108
Failed 1/1 test scripts, 0.00% okay. 90/108 subtests failed, 16.67% okay.




Mark, I can give you SSH on the machine if you want.

  Modify Plugin::DKIM to make it survive old versions of Mail::DKIM
  which did not have a per-signature methods 'result' and 'result_detail'.
  Update t/dkim2.t to report version of Mail::DKIM, and turn off
  some redundant clutter.
Sending        lib/Mail/SpamAssassin/Plugin/DKIM.pm
Sending        t/dkim2.t
Committed revision 791599.

The situation with very old versions of Mail::DKIM is pretty much
hopeless, as RFC 4871 requires v=1 in the signature:

   v=  Version (MUST be included).  This tag defines the version of this
       specification that applies to the signature record.  It MUST have
       the value "1".  Note that verifiers must do a string comparison
       on this value; for example, "1" is not the same as "1.0".

but versions of Mail::DKIM before 0.26 insisted on v=0.5 and fail
a signature with v=1.

So, Mail::DKIM version 0.26 is the first conditionally usable version
which can deal with standard signatures.

0.26 first which allows v=1
0.27 (never published)
0.28 fails to recognize presence of a signature when a public key is
      missing or revoked, but otherwise works ok
0.29 same as 0.28
0.30 fixes 0.28/0.29 issue, but breaks on a shuffled header section
0.31, 0.32, 0.33, 3.34, 0.35, 0.36 pass all current SA tests

So the 0.31 seems to be the first really usable version for SpamAssassin.

+1 to make 0.31 required in Makefile.pl

+1 to that min version, too

> 0.31, 0.32, 0.33, 3.34, 0.35, 0.36 pass all current SA tests
> So the 0.31 seems to be the first really usable version for SpamAssassin.

0.31 2008-04-14

Just some selected entries from a ChangeLog in later versions,
for consideration:

0.32 2008-06-03
- granularity checking should be case-sensitive

0.33 2009-03-10
  (nothing relevant to verification)

0.34 2009-05-20
- DNS resolver errors are detected and reported as such

0.35 2009-05-22
- fixes a DoS, as discussed on the amavis ML: fixed a runaway regular
  expression in the canonicalization routines

0.36 2009-06-02
  (nothing relevant to our plugin)

  Bug 6100, DependencyInfo.pm, DKIM.pm: bump the required 
  minimal version of Mail::DKIM to 0.31 (warn otherwise, but 
  not enforced). Updated associated text in DependencyInfo.
Sending        lib/Mail/SpamAssassin/Plugin/DKIM.pm
Sending        lib/Mail/SpamAssassin/Util/DependencyInfo.pm
Committed revision 791657.

  Plugin/DKIM.pm: use the Mail::DKIM::AuthorDomainPolicy
  instead of Mail::DKIM::DkimPolicy, when available (since
  Mail::DKIM 0.34). Added 6 new test messages along with
  corresponding ADSP tests in t/dkim2.t.
Sending        lib/Mail/SpamAssassin/Plugin/DKIM.pm
Sending        t/data/01_test_rules.cf
Adding         t/data/dkim/test-adsp-11.msg
Adding         t/data/dkim/test-adsp-12.msg
Adding         t/data/dkim/test-adsp-13.msg
Adding         t/data/dkim/test-adsp-14.msg
Adding         t/data/dkim/test-adsp-15.msg
Adding         t/data/dkim/test-fail-09.msg
Sending        t/dkim2.t
Transmitting file data .........
Committed revision 791964.

Still missing are some true network-based ADSP tests,
for which I need to add few additional RR in the
sa-test.spamassassin.org DNS zone file. Nonessential.

> Still missing are some true network-based ADSP tests,
> for which I need to add few additional RR in the
> sa-test.spamassassin.org DNS zone file. Nonessential.

Ok, done that:

  t/dkim2.t: add ADSP network tests, now that some test _adsp
  resource records are published under a sa-test.spamassassin.org
  DNS zone. Plugin/DKIM.pm: deal with a missing method as_string in
  Mail::DKIM 0.35 (it was reintroduced in 0.36, but nevertheless).
  Disabling Razor2 scores in t/dkim2.t reduces the elapsed time
  for a dkim2.t test run from 80 seconds to 4 seconds.

Sending        lib/Mail/SpamAssassin/Plugin/DKIM.pm
Sending        t/data/dkim/test-adsp-11.msg
Sending        t/data/dkim/test-adsp-12.msg
Sending        t/data/dkim/test-adsp-13.msg
Sending        t/data/dkim/test-adsp-14.msg
Sending        t/data/dkim/test-adsp-15.msg
Adding         t/data/dkim/test-adsp-16.msg
Adding         t/data/dkim/test-adsp-17.msg
Adding         t/data/dkim/test-adsp-18.msg
Adding         t/data/dkim/test-adsp-19.msg
Adding         t/data/dkim/test-adsp-20.msg
Adding         t/data/dkim/test-adsp-21.msg
Adding         t/data/dkim/test-adsp-22.msg
Sending        t/dkim2.t
Transmitting file data ..............
Committed revision 792363.

this is now fixed, right?