On Mon, Apr 08, 2024 at 03:44:00PM +0800, Haifeng Xu wrote: > I can also reproduced it. After digging into it, I found that our DKIM signature header > has 't' and 'x' flags. They are recommended as a means to help identify spam. > > t= is the DKIM signature timestamp. > x= is the DKIM signature expiration time. > > The source code of DKIM Validation can be seen in dkim/__init__.py(line 351), I paste it > here. > > 343 if b'x' in sig: > 344 if re.match(br"\d+$", sig[b'x']) is None: > 345 raise ValidationError( > 346 "x= value is not a decimal integer (%s)" % sig[b'x']) > 347 x_sign = int(sig[b'x']) > 348 now = int(time.time()) > 349 slop = 36000 # 10H leeway for mailers with inaccurate clocks > 350 if x_sign < now - slop: > 351 raise ValidationError( > 352 "x= value is past (%s)" % sig[b'x']) > 353 if x_sign < t_sign: > 354 raise ValidationError( > 355 "x= value is less than t= value (x=%s t=%s)" % > 356 (sig[b'x'], sig[b't'])) > > The expiry time is less than the time point you download the patch, so the validation > fails. If I comment out these lines, this series can be successfully downloaded. FWIW, I've requested ability to ignore the x= flag when validating signatures: https://bugs.launchpad.net/dkimpy/+bug/2047054 -K
