Ubuntu
libmail-dkim-perl package

Merge ~mirespace/ubuntu/+source/libmail-dkim-perl:reverting-upstream-debian-ed25519-noble-proposed into ubuntu/+source/libmail-dkim-perl:ubuntu/devel

  1. Git
  2. lp:~mirespace/ubuntu/+source/libmail-dkim-perl
  3. reverting-upstream-debian-ed25519-noble-proposed
  4. Merge into ubuntu/devel
Proposed by Miriam España Acebal
Status: Rejected
Rejected by: Andreas Hasenack
Proposed branch: ~mirespace/ubuntu/+source/libmail-dkim-perl:reverting-upstream-debian-ed25519-noble-proposed
Merge into: ubuntu/+source/libmail-dkim-perl:ubuntu/devel
Diff against target: 1764 lines (+1689/-3)
9 files modified
debian/changelog (+9/-0)
debian/control (+2/-3)
debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch (+94/-0)
debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch (+496/-0)
debian/patches/0003-Revert-set-rsa-ed25519-type.patch (+84/-0)
debian/patches/0004-Revert-added-ed25519-signing-support.patch (+327/-0)
debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch (+578/-0)
debian/patches/0006-Revert-Debian-support-for-ed25519.patch (+93/-0)
debian/patches/series (+6/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Disapprove
Ubuntu Sponsors Pending
Canonical Server Reporter Pending
Review via email: mp+460681@code.launchpad.net

Description of the change

Hi team,

I'm dropping lybcriptx-perl support (dependencies and related upstream commits) to avoid a component mismatched situation temporarily while packaging New libcrypt-openssl-ed25519-perl package [1]. I'll update the Releases Notes for Noble once this change is accepted.

The patches correspond to this PR in upstream:

https://github.com/fastmail/mail-dkim/pull/18/commits

but, looking into the complete history, you can find these commits where added to a branch created by the maintainer and called "ed25519" which includes two more commits:

https://github.com/fastmail/mail-dkim/commits/ed25519/

The 0006-Revert-*.patch is for undoing the changes related to ed25519 (only those) added by Debian when upgrading the package to version 1.20230630 ( commit message New upstream version 1.20230630) :

https://salsa.debian.org/perl-team/modules/packages/libmail-dkim-perl/-/commit/876974a2c45f2d3ac1c71a4b43b70055fba66f4f

The changes in the code are only adding the use of ed25519, not affecting the use from other third packages of the existing rsa-sha256 algorithm, making a distinction between 'rsa' or 'ed25519' for selecting the correct algorithm.

PPA for this is:

ppa:mirespace/libmail-dkim-perl-no-libcryptx-perl
https://launchpad.net/~mirespace/+archive/ubuntu/libmail-dkim-perl-no-libcryptx-perl

Test passed locally:
autopkgtest [13:55:19]: @@@@@@@@@@@@@@@@@@@@ summary
autodep8-perl-build-deps PASS
autodep8-perl PASS (superficial)
autodep8-perl-recommends PASS (superficial)

Also, they ran in the infra with good results (i386 not passing is known):

https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/?format=plain

 ✅ libmail-dkim-perl on noble for amd64 @ 19.02.24 08:59:17
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/noble/amd64/libm/libmail-dkim-perl/20240219_085917_d304c@/log.gz

 ✅ libmail-dkim-perl on noble for arm64 @ 19.02.24 09:35:18
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/noble/arm64/libm/libmail-dkim-perl/20240219_093518_1a71a@/log.gz

 ✅ libmail-dkim-perl on noble for armhf @ 19.02.24 09:04:19
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/noble/armhf/libm/libmail-dkim-perl/20240219_090419_1fb9a@/log.gz

✅ libmail-dkim-perl on noble for ppc64el @ 19.02.24 09:01:02
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/noble/ppc64el/libm/libmail-dkim-perl/20240219_090102_81f0d@/log.gz

✅ libmail-dkim-perl on noble for s390x @ 19.02.24 09:19:56
      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-mirespace-libmail-dkim-perl-no-libcryptx-perl/noble/s390x/libm/libmail-dkim-perl/20240219_091956_7991c@/log.gz

And all building tests passed:

All tests successful.
Files=19, Tests=455, 2 wallclock secs ( 0.08 usr 0.05 sys + 1.43 cusr 0.40 csys = 1.96 CPU)
Result: PASS

Checking spamassassin's tests again this libmail-dkim-perl was also OK:

$ autopkgtest -U -s --add-apt-source="deb [trusted=yes] https://ppa.launchpadcontent.net/mirespace/libmail-dkim-perl-no-libcryptx-perl/ubuntu noble main" spamassassin -- qemu /media/miriam/extension/Images/autopkgtest-noble-amd64.img

[...]
autopkgtest [16:51:09]: @@@@@@@@@@@@@@@@@@@@ summary
spamassassin.nospam PASS
spamassassin.spam PASS
daemon PASS

And looking into the building tests of spamassassin, the dkim test is disabled because it could be flaky due to network issues. But, I manually disabled the net verification (commenting line 19 in t/dkim.t) and I launched the test with the libmail-dkim-perl package proposed here:

All tests successful.
Files=1, Tests=258, 16 wallclock secs ( 0.03 usr 0.02 sys + 3.82 cusr 0.15 csys = 4.02 CPU)
Result: PASS

Complete log at https://pastebin.ubuntu.com/p/gjGdCrB9hF/

Package installed :

root@Nspamassasin-dkim-no-cryptx:~/spamassassin# dpkg -l libmail-dkim-perl | grep dkim
ii libmail-dkim-perl 1.20240124-1ubuntu1+ppa1 all module to cryptographically identify the sender of email

without libcryptx-perl:

root@Nspamassasin-dkim-no-cryptx:~/spamassassin# apt-cache policy libcryptx-perl
libcryptx-perl:
  Installed: (none)
  Candidate: 0.080-2build1
  Version table:
     0.080-2build1 500
        500 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages

Please, review and sponsor if LGTY. Thanks in advance (also, for your time reviewing this)!

[1] https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug/2046154/comments/6

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

I still have to go over this in more detail, but my first question (and sorry if I missed the answer somewhere), is about the reverse dependencies of libmail-dkim-perl:
$ apt-cache rdepends libmail-dkim-perl
libmail-dkim-perl
Reverse Depends:
  sympa
  amavisd-new
  libmail-dmarc-perl
  spamassassin

What about sympa and amavisd-new, do they indirectly rely on libcryptx-perl, or specifically, on the ed25519 code? Did you also rebuild these reverse dependencies, and their tests?

Revision history for this message
Miriam España Acebal (mirespace) wrote :

Hi Andreas!

> I still have to go over this in more detail, but my first question (and sorry
> if I missed the answer somewhere)

Nothing to be sorry about... Maybe I missed this question in the standup :$.

> What about sympa and amavisd-new, do they indirectly rely on libcryptx-perl,
> or specifically, on the ed25519 code? Did you also rebuild these reverse
> dependencies, and their tests?

Good point (as ever) ! I'm on it with the tests and checking the code of those reverse dependencies to look for Mail::Dkim inclusions and calls to any removed code in this MP.

I'll go back to you with the conclusions... thanks Andreas!

Revision history for this message
Miriam España Acebal (mirespace) wrote (last edit ):
Download full text (6.0 KiB)

TL;DR: Checking that amavisd-new or sympa still work ok when dropping this change: OK

All tested against the package in the ppa.

A. Code Insights: No one of the packages calls directly or indirectly the added (and removed here) code.

In both cases, an 'ack ed25519' search doesn't return anything.

Files modified by these MP are

lib/Mail/DKIM/Signature.pm
lib/Mail/DKIM/Verifier.pm
 -- > Modified functions
       _check_and_verify_signature → private, called by finish_body
lib/Mail/DKIM/PublicKey.pm
lib/Mail/DKIM/Algorithm/ed25519_sha256.pm

A.1. Sympa:

sympa
-------------
❯ ack Mail::DKIM::Signature
❯ ack Mail::DKIM::PublicKey
❯ ack Mail::DKIM::Verifier
cpanfile
182:recommends 'Mail::DKIM::Verifier', '>= 0.37';
272:feature 'Mail::DKIM::Verifier', 'Required in order to use DKIM features (both for signature verification and signature insertion).' => sub {
273: requires 'Mail::DKIM::Verifier', '>= 0.37';

src/lib/Sympa/Message.pm
648: eval 'use Mail::DKIM::Verifier';
655: return unless $Mail::DKIM::Verifier::VERSION;
668: unless ($dkim = Mail::DKIM::Verifier->new()) {
669: $log->syslog('err', 'Could not create Mail::DKIM::Verifier');

Checking Algorithm used is rsa:

❯ ack -C2 Algorithm
src/lib/Sympa/Message.pm
502- # create a signer object
503- my $dkim = Mail::DKIM::Signer->new(
504: Algorithm => "rsa-sha256",
505- Method => "relaxed",
506- Domain => $dkim_d,
--
600- # create a signer object
601- my $arc = Mail::DKIM::ARC::Signer->new(
602: Algorithm => "rsa-sha256",
603- Chain => $arc_cv,
604- SrvId => $arc_srvid,

A.2. amavisd-new:

amavisd-new
-------------------

❯ ack Mail::DKIM::Signature
lib/Amavis/Tools.pm
116: $dkim->add_signature( Mail::DKIM::Signature->new(

lib/Amavis/DKIM.pm
27:use Mail::DKIM::Signature;
336:# returning them as a list of Mail::DKIM::Signature objects
694: $dkim->add_signature( Mail::DKIM::Signature->new(
838: # map a Mail::DKIM::Signature result into an RFC 7601 result value
❯ ack Mail::DKIM::PublicKey
❯ ack Mail::DKIM::Verifier
lib/Amavis.pm
900: Net::Patricia Net::LDAP Mail::SpamAssassin Mail::DKIM::Verifier
6221: if (!defined $dns_resolver && Mail::DKIM::Verifier->VERSION >= 0.40) {
6223: # of Mail::DKIM::Verifier; this avoids repeating initializations
6254: $dkim_verifier = Mail::DKIM::Verifier->new;

lib/Amavis/SpamControl/SpamAssassin.pm
123: push(@modules, qw(Mail::DKIM Mail::DKIM::Verifier Net::DNS::Resolver))

lib/Amavis/Tools.pm
139: my $dkim_verifier = Mail::DKIM::Verifier->new;
140: $dkim_verifier or die "Could not create a Mail::DKIM::Verifier object";

lib/Amavis/DKIM.pm
24:use Mail::DKIM::Verifier 0.31;

Checking Algorithm used is rsa:

❯ ack -C2 Algorithm
lib/Amavis/Tools.pm
116- $dkim->add_signature( Mail::DKIM::Signature->new(
117- Selector => $selector_ace, Domain => $domain_ace,
118: Method => 'simple/simple', Algorithm => 'rsa-sha256',
119- Timestamp => int($now), Expiration => int($now)+24*3600, Key => $key,
120- )); under;

lib/Amavis/DKIM.pm
299-
300-# a CustomSigner callback routine passed to Mail::DKIM in place of a key;
301:# the ro...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

So I'm looking at this, and here are my concerns:

a) complex delta
These patches look like they will be hard to carry forward. Even though we are unlikely to see big changes in noble SRUs, and there they should be more maintainable, this is delta that will be hard to maintain post-noble.

b) we are making a big change to a package
Ed25519 was announced by upstream as part of the 1.20230630 release. Except, in Ubuntu, it's not. configure-like and other version checks might be assuming that after this version, Ed25519 support is there for granted. But not in Ubuntu. In other words, we are deviating quite harshly from upstream and removing a feature they added more than a year ago. Granted, most good such checks will look for the actual feature being present, and not just a version number, but still.

c) there is no guarantee that we will benefit from this work
For this to be complete, we still need the MIR LP: #2023971 to be complete. It's currently in the security review queue, and it might come out from there as a +1 or a -1.

We currently have these versions in noble:

 libmail-dkim-perl | 1.20230212-1 | noble | source
 libmail-dkim-perl | 1.20240124-1 | noble-proposed | source

The upstream change that added Ed25519 support is in 1.20230630, which mean it's *NOT* in noble release at the moment, only noble-proposed.

I propose that we kick out 1.20240124-1 from noble-proposed, and keep the one in noble-release. We can either add this package to the sync-blocklist[1], or upload a no-change rebuild with an ubuntu suffix to block it from syncing that way. I seem to remember there was a discussion on a suitable suffix for such changes, something like adding "maysync" or similar. We can find that, I think it was used recently in an MP in the server team even, for dns root data?

Yes:

 dns-root-data | 2023112702~willsync1 | noble | source, all

But maybe for now, just before FF, we should add a block to it, just to be safe. Although, if we do nothing, it will just stay in proposed without migrating...

Now, if there is something in newer libmail-dkim-perl that we want, maybe the plan above doesn't work so well. Or we could cherry-pick what we want that is in newer versions only.

So, what do you think?

1. https://code.launchpad.net/~ubuntu-archive/+git/sync-blocklist

review: Needs Information
Revision history for this message
Miriam España Acebal (mirespace) wrote :

Thanks Andreas!

It makes perfect sense for a user to trust that a new package version will come with all the features announced upstream.... thanks for bringing up this point.

I checked spamassassin versions and we are in 4.0.0 since Mantic, so new features that can come in -proposed libmail-dkim-perl version are not in use yet:

 spamassassin | 3.4.6-1ubuntu0.22.04.1 | jammy-updates | source, all
 spamassassin | 4.0.0-7ubuntu1 | mantic | source, all
 spamassassin | 4.0.0-8ubuntu1 | noble | source, all

for libmail-dmar-perl is the same case:

 libmail-dmarc-perl | 1.20230215-1 | mantic/universe | source, all
 libmail-dmarc-perl | 1.20230215-1 | noble/universe | source, all

Only for the records, the changes that come with the dkim -proposed version are:

1.20240124 2024-01-24 UTC
  * ARC: Return fail for any ARC set with an instance number greater than 50.
    This brings ARC verification in line with DKIM verification limits.

1.20230911 2023-09-11 UTC
  * Option to add custom tags to generated ARC signatures and seals

1.20230630 2023-06-30 UTC
  * Add support for Ed25519 signature types
    Thanks to Matthäus Wander @mwander
  * Option to add custom tags to generated signatures

So I'm okay with adding libmail-dkim-perl to the sync-blocklist.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ok, the "maysync" or "willsync" ideas don't apply here, because the version in noble is way lower then debian unstable:

1.20230212-1 vs 1.20240124-1

Also, the sync blocklist is meant for more permanent blocks, and I don't think we will want to block this package forever.

So my suggestion is, if we all agree on this plan, to:

- remove libmail-dkim-perl 1.20240124-1 from noble-proposed
- prepare and upload libmail-dkim-perl 1.20230212-1ubuntu1 with no changes. The "ubuntu1" suffix will block it from syncing

Revision history for this message
Miriam España Acebal (mirespace) wrote :

MP for blocking is here: https://code.launchpad.net/~mirespace/+git/sync-blocklist/+merge/461273
(I didn't say anything in #ubuntu-release yet; I am waiting for comments from Christian)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Andreas, this really is a much more maintainable approach to this.
The current version as it is not too old but would get the rest of the stack resolved.
I'd be ok on either sync-blockist or delta to avoid a sync.

I'm already +0.99 on this, but let me ask one crucial question though...

The intent originally was to add back Ed25519 once we managed to create a wrapper we'd trust.
But if we now hold back 1.20240124-1, we'd have a much bigger change to "later add Ed25519".
As we'd then need to go to "at least 1.20230630 for the general infrastructure and then adopt it to use the alternative library for that encryption.

So we'd buy an easier current time, for a more complex future.

Yet OTOH the success, acceptance and all that of the to be created wrapper isn't entirely certain.
We are not taking away anything, it is already without Ed25519, no loss on upgrade. We'd just have that feature later.

And while intention is well meant - there still is the chance we need to decide later, "yeah Ed25519 will only be added in 24.10 but not backported".

With that in mind I'm adding another +0.01 for not spending effort now which might end up being totally different than we thought.

Objections after I forced that thought to be present in your mind?

Revision history for this message
Miriam España Acebal (mirespace) wrote :

Hi Andreas, Christian:

Adding here the third scenario (blocking by suffix):

https://code.launchpad.net/~mirespace/ubuntu/+source/libmail-dkim-perl/+git/libmail-dkim-perl/+merge/461344

As the sync-blocklist MP.

Both are in WIP, but ready. If I'm OOO after the decision on this is taken, feel free to mark Needs Review and Approve/Reject depending on the taken decision.

About the complexity in the long-term: how feasible would it be to upgrade to a new version of this package with new features in noble as LTS? It sounds like we would need a SRU exception for only once... Oh, I forgot Robie's comment (https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug/2046154/comments/7)... so, at the end, What will the way more compatible to do the SRU to noble later?

1- This MP, removing all the patches and restoring the dependency in d/control as SRU?
2- removing the package from sync-blocklist, and doing a "sync-SRU"?
3- removing the suffix as SRU-change, and sync automatically in MM and "SRU-sync" to noble?

I don't know if a sync to a GA LTS can be done, hence my questions.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.3 KiB)

> About the complexity in the long-term: how feasible would it be to upgrade to a new version of this
> package with new features

We don't have to upgrade, we can patch the ed25519 support in. Basically the revert of you patches here.

It's still a new feature, of course, and one could argue it's a delta as complicated as the one here dropping the patches. So updating the version might be less risky. Both scenarios, however, will require an FFe for noble. Personally, I would prefer upgrading to 1.20240124-1 when the time comes.

So let's think about the scenarios:

a) Proceed as planned with this MP, which means:
- remove Ed25519 support from src:libmail-dkim-perl now, and upload
- that will make src:libmail-dkim-perl migrate
- feature freeze happens without Ed25519 support

Then:
- fingers crossed that security ACKs MIR LP: #2023971 for src:libmail-dmarc-perl
- the Ed25519 perl+openssl wrapper happens, passes NEW review, goes into noble
- we restore Ed25519 support in src:libmail-dkim-perl by dropping these patches, get an FFe, upload to noble
- change src:spamassassin to again recommend (instead of suggest) bin:libmail-dmarc-perl (its MIR was supposedly accepted above)

b) Revert to src:libmail-dkim-perl 1.20230212 in noble, without Ed25519 support
- remove src:libmail-dkim-perl 1.20240124-1 from noble-proposed
- upload src:libmail-dkim-perl 1.20230212-1ubuntu to block syncs
- feature freeze happens without Ed25519 support

Then:
- fingers crossed that security ACKs MIR LP: #2023971 for src:libmail-dmarc-perl
- the Ed25519 perl+openssl wrapper happens, passes NEW review, goes into noble
- we restore Ed25519 support in src:libmail-dkim-perl. Either updating to 1.20240124, or patching Ed25519 in taken from the 1.20230630 version. FFe required
- change src:spamassassin to again recommend (instead of suggest) bin:libmail-dmarc-perl (its MIR was supposedly accepted above)

So.

If all goes to plan, in *both* cases we will need a FFe for src:libmail-dkim-perl with the Ed25519 feature put back, either via a patch, or a version bump to at least 1.20230630, or preferably (just because it's the sync from debian) 1.20240124-1.

If something fails along the way (MIR is not granted for src:libmail-dmarc-perl, or the new openssl ed25519 perl wrapper doesn't happen in time, or is not reviewed in NEW in time, etc), then we have differences.

In the failed (a) case, we will have in noble a src:libmail-dkim-perl package with Ed25519 patched out. That delta is unlikely to apply cleanly on version upgrades, but that shouldn't happen in noble SRUs. This has the "unexpected" feeling (to me) of a newer version of a package with a feature dropped by us as a delta. If we manage to unfail things after noble was released, an SRU would just remove that patch, and by that, add a new feature.

In the failed (b) case, we will have in noble a normal src:libmail-dkim-perl package, just behind debian, without Ed25519. After we "unfail" this, the SRU would be to add a feature by either adding ed25519 via patches, or bumping the version. This might be psychological, but personally I feel that removing patches has less risk than adding them, or bumping the version.

If we...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Let's take a look at the patches, while we are at it (inline).

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Oh, and after looking more closely at the reverts, and I think I haven't mentioned this before: there is risk in us missing something in these reverts, or later, miss something if we decide to patch ed25519 back in (instead of bumping the version).

Revision history for this message
Miriam España Acebal (mirespace) wrote :

I understand completely that the patches way could be more risky and are ugly/tedious/horrible/madness to inspection.

(ofi) I did the patches 1-5 with git format-patch -5 HEAD from marcbrashaw/ed25519 (upstream/ed25519) branch, I didn't do it manually

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

We decided to go with (b) and drop[1] libmail-dkim-perl 1.20240124-1 from noble-proposed.

1. https://bugs.launchpad.net/ubuntu/+source/libmail-dkim-perl/+bug/2055198

Revision history for this message
Andreas Hasenack (ahasenack) :
review: Disapprove

Unmerged commits

4844d33... by Miriam España Acebal

changelog

e23ee2c... by Miriam España Acebal

update-maintainer

9b1b276... by Miriam España Acebal

d/control: Dropping libcryptc-perl dependency.

f5552de... by Miriam España Acebal

d/p/0006-Revert-*.patch: Reverting changes applied by debian to support ed25519

959e0c1... by Miriam España Acebal

d/patches/*-Revert-*.patch: Dropping ed25519 support while replacing
    using of libcryptx-perl as dependency. Reverting upstream changes.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 4a792c5..edafb42 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+libmail-dkim-perl (1.20240124-1ubuntu1) noble; urgency=medium
7+
8+ * d/patches/*-Revert-*.patch: Drop ed25519 support while replacing
9+ the use of libcryptx-perl as dependency. Revert upstream and debian
10+ changes due to that (LP: #2046154).
11+ * d/control: Drop libcryptx-perl dependency.
12+
13+ -- Miriam España Acebal <miriam.espana@canonical.com> Fri, 16 Feb 2024 13:20:59 +0100
14+
15 libmail-dkim-perl (1.20240124-1) unstable; urgency=medium
16
17 * Team upload.
18diff --git a/debian/control b/debian/control
19index 9c1240c..9bf4a65 100644
20--- a/debian/control
21+++ b/debian/control
22@@ -1,12 +1,12 @@
23 Source: libmail-dkim-perl
24-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
25+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
26+XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
27 Uploaders: Magnus Holmgren <holmgren@debian.org>
28 Section: perl
29 Testsuite: autopkgtest-pkg-perl
30 Priority: optional
31 Build-Depends: debhelper-compat (= 13)
32 Build-Depends-Indep: libcrypt-openssl-rsa-perl <!nocheck>,
33- libcryptx-perl <!nocheck>,
34 libdigest-sha-perl <!nocheck>,
35 liberror-perl <!nocheck>,
36 libmail-authenticationresults-perl <!nocheck>,
37@@ -27,7 +27,6 @@ Architecture: all
38 Depends: ${misc:Depends},
39 ${perl:Depends},
40 libcrypt-openssl-rsa-perl,
41- libcryptx-perl,
42 libdigest-sha-perl,
43 liberror-perl,
44 libgetopt-long-descriptive-perl,
45diff --git a/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch b/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch
46new file mode 100644
47index 0000000..71b97c9
48--- /dev/null
49+++ b/debian/patches/0001-Revert-Ed25519-Add-test-for-missing-public-key.patch
50@@ -0,0 +1,94 @@
51+From d7cd937e612f44d8862999f4a8894384ac8eb8c1 Mon Sep 17 00:00:00 2001
52+From: Miriam Espana Acebal <miriam.espana@canonical.com>
53+Date: Fri, 16 Feb 2024 13:11:48 +0100
54+Subject: [PATCH 1/5] Revert "Ed25519: Add test for missing public key"
55+
56+This reverts commit 1d37a260ec2090aaccb3bbe6bb668d7ca1569836.
57+---
58+ t/FAKE_DNS.dat | 1 -
59+ t/corpus/badkey4_ed25519.txt | 16 ----------------
60+ t/corpus/badkey5_ed25519.txt | 16 ----------------
61+ t/verifier.t | 4 +---
62+ 4 files changed, 1 insertion(+), 36 deletions(-)
63+ delete mode 100644 t/corpus/badkey4_ed25519.txt
64+ delete mode 100644 t/corpus/badkey5_ed25519.txt
65+
66+diff --git a/t/FAKE_DNS.dat b/t/FAKE_DNS.dat
67+index 602c13b..22e24da 100644
68+--- a/t/FAKE_DNS.dat
69++++ b/t/FAKE_DNS.dat
70+@@ -25,5 +25,4 @@ nonexistent._domainkey.messiah.edu NXDOMAIN
71+ test3._domainkey.blackhole.messiah.edu ~~Query timed out~~
72+ test3._domainkey.blackhole2.messiah.edu ~~SERVFAIL~~
73+ 2023-05-ed25519._domainkey.wander.science v=DKIM1; k=ed25519; p=pP+YUyRjAvKha4Oc49KAY703oLUS1NLMEuGD3IHMKww=
74+-2023-05-ed25519-empty._domainkey.wander.science ""
75+ invalid._domainkey.wander.science v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEA3SUqa9UbfciWkk7tlcJ9P1VD5pXAasg0JUn/OgjVbKE=
76+diff --git a/t/corpus/badkey4_ed25519.txt b/t/corpus/badkey4_ed25519.txt
77+deleted file mode 100644
78+index 4693bc2..0000000
79+--- a/t/corpus/badkey4_ed25519.txt
80++++ /dev/null
81+@@ -1,16 +0,0 @@
82+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
83+- d=wander.science; s=2023-05-ed25519-does-not-exist; h=Subject:Content-Transfer-Encoding:
84+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
85+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
86+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
87+- ==;
88+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
89+-Date: Wed, 10 May 2023 21:54:21 +0200
90+-MIME-Version: 1.0
91+-To: echo@mail.town
92+-From: mail@wander.science
93+-Content-Type: text/plain; charset=UTF-8; format=flowed
94+-Content-Transfer-Encoding: 7bit
95+-Subject: Test ed25519
96+-
97+-This is an elliptic test, with a missing key.
98+diff --git a/t/corpus/badkey5_ed25519.txt b/t/corpus/badkey5_ed25519.txt
99+deleted file mode 100644
100+index f60f504..0000000
101+--- a/t/corpus/badkey5_ed25519.txt
102++++ /dev/null
103+@@ -1,16 +0,0 @@
104+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
105+- d=wander.science; s=2023-05-ed25519-empty; h=Subject:Content-Transfer-Encoding:
106+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
107+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
108+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
109+- ==;
110+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
111+-Date: Wed, 10 May 2023 21:54:21 +0200
112+-MIME-Version: 1.0
113+-To: echo@mail.town
114+-From: mail@wander.science
115+-Content-Type: text/plain; charset=UTF-8; format=flowed
116+-Content-Transfer-Encoding: 7bit
117+-Subject: Test ed25519
118+-
119+-This is an elliptic test, with a missing key.
120+diff --git a/t/verifier.t b/t/verifier.t
121+index 3f802c9..90320d4 100755
122+--- a/t/verifier.t
123++++ b/t/verifier.t
124+@@ -2,7 +2,7 @@
125+
126+ use strict;
127+ use warnings;
128+-use Test::More tests => 111;
129++use Test::More tests => 109;
130+
131+ use Mail::DKIM::Verifier;
132+
133+@@ -167,8 +167,6 @@ test_email( "goodkey_ed25519.txt", "pass" );
134+ test_email( "badkey1_ed25519.txt", "invalid" ); # key has invalid length
135+ test_email( "badkey2_ed25519.txt", "fail" ); # header modified
136+ test_email( "badkey3_ed25519.txt", "fail" ); # body modified
137+-test_email( "badkey4_ed25519.txt", "invalid" ); # missing key
138+-test_email( "badkey5_ed25519.txt", "invalid" ); # empty key
139+
140+ sub read_file {
141+ my $srcfile = shift;
142+--
143+2.40.1
144+
145diff --git a/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch b/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch
146new file mode 100644
147index 0000000..10aeb9d
148--- /dev/null
149+++ b/debian/patches/0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch
150@@ -0,0 +1,496 @@
151+From 3d65013b6cc172343354bfa33e59330b9b44ee57 Mon Sep 17 00:00:00 2001
152+From: Miriam Espana Acebal <miriam.espana@canonical.com>
153+Date: Fri, 16 Feb 2024 13:15:07 +0100
154+Subject: [PATCH 2/5] Revert "Refactor and cleanup some ed25519 code"
155+
156+This reverts commit 86f65f4e6d7b99e759de2ea23c56e16b5e76ab15.
157+---
158+ Changes | 2 -
159+ lib/Mail/DKIM/Algorithm/ed25519_sha256.pm | 4 +-
160+ lib/Mail/DKIM/PrivateKey.pm | 161 ++++++++++----------
161+ lib/Mail/DKIM/PublicKey.pm | 175 ++++++++++------------
162+ 4 files changed, 163 insertions(+), 179 deletions(-)
163+
164+diff --git a/Changes b/Changes
165+index f898dc5..39b645a 100644
166+--- a/Changes
167++++ b/Changes
168+@@ -8,8 +8,6 @@ This file summarizes what's changed between releases of Mail-DKIM.
169+ * Option to add custom tags to generated ARC signatures and seals
170+
171+ 1.20230630 2023-06-30 UTC
172+- * Add support for Ed25519 signature types
173+- Thanks to Matthäus Wander @mwander
174+ * Option to add custom tags to generated signatures
175+
176+ 1.20230212 2023-02-12 UTC
177+diff --git a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
178+index 9a4a2f3..d97deeb 100644
179+--- a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
180++++ b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
181+@@ -1,8 +1,8 @@
182+ package Mail::DKIM::Algorithm::ed25519_sha256;
183+ use strict;
184+ use warnings;
185+-our $VERSION = '1.20240124'; # VERSION
186+-# ABSTRACT: ed25519 sha256 algorithm class
187++# VERSION
188++# ABSTRACT: edd2519 sha256 algorithm class
189+
190+ # Copyright 2005-2006 Messiah College. All rights reserved.
191+ # Jason Long <jlong@messiah.edu>
192+diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm
193+index af08573..1a9526d 100644
194+--- a/lib/Mail/DKIM/PrivateKey.pm
195++++ b/lib/Mail/DKIM/PrivateKey.pm
196+@@ -15,8 +15,6 @@ our $VERSION = '1.20240124'; # VERSION
197+ use base 'Mail::DKIM::Key';
198+ use Carp;
199+ *calculate_EM = \&Mail::DKIM::Key::calculate_EM;
200+-use Crypt::OpenSSL::RSA;
201+-use Crypt::PK::Ed25519;
202+
203+
204+ sub load {
205+@@ -53,86 +51,88 @@ sub load {
206+ }
207+
208+
209+-sub _convert_rsa {
210++sub convert {
211+ my $self = shift;
212+
213+- # have to PKCS1ify the privkey because openssl is too finicky...
214+- my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n";
215+-
216+- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
217+- $pkcs .= substr $self->data, $i, 64;
218+- $pkcs .= "\n";
219++ # Use different libs subject to key type.
220++ if ( $self->{'TYPE'} eq 'rsa' ) {
221++ use Crypt::OpenSSL::RSA;
222++ }
223++ elsif ( $self->{'TYPE'} eq 'ed25519' ) {
224++ use Crypt::PK::Ed25519;
225+ }
226+
227+- $pkcs .= "-----END RSA PRIVATE KEY-----\n";
228++ $self->data
229++ or return;
230++
231++ if ( $self->{'TYPE'} eq 'rsa' ) {
232++
233++ # have to PKCS1ify the privkey because openssl is too finicky...
234++ my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n";
235++
236++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
237++ $pkcs .= substr $self->data, $i, 64;
238++ $pkcs .= "\n";
239++ }
240++
241++ $pkcs .= "-----END RSA PRIVATE KEY-----\n";
242+
243+- my $cork;
244++ my $cork;
245+
246+- eval {
247+- local $SIG{__DIE__};
248+- $cork = new_private_key Crypt::OpenSSL::RSA($pkcs);
249+- 1
250+- } || do {
251++ eval {
252++ local $SIG{__DIE__};
253++ $cork = new_private_key Crypt::OpenSSL::RSA($pkcs);
254++ 1
255++ } || do {
256+ $self->errorstr($@);
257+ return;
258+- };
259++ };
260+
261+- $cork
262+- or return;
263++ $cork
264++ or return;
265+
266+- # segfaults on my machine
267+- # $cork->check_key or
268+- # return;
269++ # segfaults on my machine
270++ # $cork->check_key or
271++ # return;
272+
273+- $self->cork($cork);
274+- return 1;
275+-}
276++ $self->cork($cork);
277+
278+-sub _convert_ed25519 {
279+- my $self = shift;
280+- my $cork;
281++ }
282++ elsif ( $self->{'TYPE'} eq 'ed25519' ) {
283++ my $cork;
284+
285+- eval {
286+- local $SIG{__DIE__};
287+- $cork = new Crypt::PK::Ed25519;
288++ eval {
289++ local $SIG{__DIE__};
290++ $cork = new Crypt::PK::Ed25519;
291+
292+- # Prepend/append with PEM boilerplate
293+- my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n";
294+- $pem .= $self->data;
295+- $pem .= "\n";
296+- $pem .= "-----END ED25519 PRIVATE KEY-----\n";
297++ # Prepend/append with PEM boilerplate
298++ my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n";
299++ $pem .= $self->data;
300++ $pem .= "\n";
301++ $pem .= "-----END ED25519 PRIVATE KEY-----\n";
302+
303+- # Pass PEM text buffer
304+- $cork->import_key(\$pem)
305+- or die 'failed to load Ed25519 private key';
306++ # Pass PEM text buffer
307++ $cork->import_key(\$pem)
308++ or die 'failed to load Ed25519 private key';
309+
310+- # Alternatively, import_raw_key() could be used,
311+- # but requires the 32-byte key, which must be extracted
312+- # from the ASN.1 structure first.
313++ # Alternatively, import_raw_key() could be used,
314++ # but requires the 32-byte key, which must be extracted
315++ # from the ASN.1 structure first.
316+
317+- 1
318+- } || do {
319+- $self->errorstr($@);
320+- return;
321+- };
322++ 1
323++ } || do {
324++ $self->errorstr($@);
325++ return;
326++ };
327+
328+- $cork
329+- or return;
330++ $cork
331++ or return;
332+
333+- $self->cork($cork);
334+- return 1;
335+-}
336++ $self->cork($cork);
337+
338+-sub convert {
339+- my $self = shift;
340+-
341+- $self->data
342+- or return;
343++ }
344+
345+- return $self->_convert_rsa if $self->{TYPE} eq 'rsa';
346+- return $self->_convert_ed25519 if $self->{TYPE} eq 'ed25519';
347+- self->errorstr('unsupported key type');
348+- return;
349++ return 1;
350+ }
351+
352+ #deprecated
353+@@ -151,36 +151,31 @@ sub sign_sha1_digest {
354+ }
355+
356+
357+-sub _sign_digest_rsa {
358++sub sign_digest {
359+ my $self = shift;
360+ my ( $digest_algorithm, $digest ) = @_;
361+
362+- my $rsa_priv = $self->cork;
363+- $rsa_priv->use_no_padding;
364+- my $k = $rsa_priv->size;
365+- my $EM = calculate_EM( $digest_algorithm, $digest, $k );
366+- return $rsa_priv->decrypt($EM);
367+-}
368++ if ( $self->{'TYPE'} eq 'rsa') {
369+
370+-sub _sign_digest_ed25519 {
371+- my $self = shift;
372+- my ( $digest_algorithm, $digest ) = @_;
373++ my $rsa_priv = $self->cork;
374++ $rsa_priv->use_no_padding;
375++
376++ my $k = $rsa_priv->size;
377++ my $EM = calculate_EM( $digest_algorithm, $digest, $k );
378++ return $rsa_priv->decrypt($EM);
379+
380+- my $ed = $self->cork;
381+- if ( !$ed ) {
382+- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
383+- die;
384+ }
385+- return $ed->sign_message($digest);
386+-}
387++ elsif ( $self->{'TYPE'} eq 'ed25519' ) {
388+
389+-sub sign_digest {
390+- my $self = shift;
391+- my ( $digest_algorithm, $digest ) = @_;
392++ my $ed = $self->cork;
393++ if ( !$ed ) {
394++ $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
395++ die;
396++ }
397+
398+- return $self->_sign_digest_rsa($digest_algorithm, $digest) if $self->{TYPE} eq 'rsa';
399+- return $self->_sign_digest_ed25519($digest_algorithm, $digest) if $self->{TYPE} eq 'ed25519';
400+- die 'unsupported key type';
401++ return $ed->sign_message($digest);
402++
403++ }
404+ }
405+
406+ __END__
407+diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm
408+index bbae0e7..bd45aeb 100644
409+--- a/lib/Mail/DKIM/PublicKey.pm
410++++ b/lib/Mail/DKIM/PublicKey.pm
411+@@ -14,9 +14,6 @@ our $VERSION = '1.20240124'; # VERSION
412+ use base ( 'Mail::DKIM::KeyValueList', 'Mail::DKIM::Key' );
413+ *calculate_EM = \&Mail::DKIM::Key::calculate_EM;
414+
415+-use Crypt::OpenSSL::RSA;
416+-use Crypt::PK::Ed25519;
417+-use MIME::Base64;
418+ use Mail::DKIM::DNS;
419+
420+ sub new {
421+@@ -102,7 +99,7 @@ sub fetch_async {
422+ my $self = $class->parse($strn);
423+ $self->{Selector} = $prms{'Selector'};
424+ $self->{Domain} = $prms{'Domain'};
425+- $self->{TYPE} = $self->get_tag('k') || 'rsa';
426++ $self->{TYPE} = ( $self->get_tag('k') or 'rsa' );
427+ $self->check;
428+
429+ return $on_success->($self);
430+@@ -284,54 +281,57 @@ sub check_hash_algorithm {
431+ # Create an OpenSSL public key object from the Base64-encoded data
432+ # found in this public key's DNS record. The OpenSSL object is saved
433+ # in the "cork" property.
434+-sub _convert_rsa {
435++sub convert {
436+ my $self = shift;
437+- # have to PKCS1ify the pubkey because openssl is too finicky...
438+- my $cert = "-----BEGIN PUBLIC KEY-----\n";
439+
440+- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
441+- $cert .= substr $self->data, $i, 64;
442+- $cert .= "\n";
443++ # Use different libs subject to k= tag.
444++ # Without k= tag, default to RSA to maintain prior behavior
445++ my $k = ( $self->get_tag('k') or 'rsa' );
446++ if ( $k eq 'rsa' ) {
447++ use Crypt::OpenSSL::RSA;
448++ }
449++ elsif ( $k eq 'ed25519' ) {
450++ use Crypt::PK::Ed25519;
451++ use MIME::Base64;
452+ }
453+
454+- $cert .= "-----END PUBLIC KEY-----\n";
455++ $self->data
456++ or return;
457+
458+- my $cork = Crypt::OpenSSL::RSA->new_public_key($cert)
459+- or die 'unable to generate public key object';
460++ if ( $k eq 'rsa' ) {
461++ # have to PKCS1ify the pubkey because openssl is too finicky...
462++ my $cert = "-----BEGIN PUBLIC KEY-----\n";
463+
464+- # segfaults on my machine
465+- # $cork->check_key or
466+- # return;
467++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
468++ $cert .= substr $self->data, $i, 64;
469++ $cert .= "\n";
470++ }
471+
472+- $self->cork($cork);
473+- return 1;
474+-}
475++ $cert .= "-----END PUBLIC KEY-----\n";
476+
477+-sub _convert_ed25519 {
478+- my $self = shift;
479+- my $cork = Crypt::PK::Ed25519->new
480+- or die 'unable to generate Ed25519 public key object';
481++ my $cork = Crypt::OpenSSL::RSA->new_public_key($cert)
482++ or die 'unable to generate public key object';
483+
484+- my $keybin = decode_base64($self->data);
485+- $cork->import_key_raw($keybin, 'public')
486+- or die 'failed to load Ed25519 public key';
487++ # segfaults on my machine
488++ # $cork->check_key or
489++ # return;
490+
491+- $self->cork($cork);
492+- return 1;
493+-}
494++ $self->cork($cork);
495+
496+-sub convert {
497+- my $self = shift;
498++ }
499++ elsif ( $k eq 'ed25519' ) {
500++ my $cork = Crypt::PK::Ed25519->new
501++ or die 'unable to generate Ed25519 public key object';
502+
503+- my $k_tag = $self->get_tag('k');
504+- $k_tag = 'rsa' unless defined $k_tag;
505++ my $keybin = decode_base64($self->data);
506++ $cork->import_key_raw($keybin, 'public')
507++ or die 'failed to load Ed25519 public key';
508+
509+- $self->data
510+- or return;
511++ $self->cork($cork);
512++
513++ }
514+
515+- return $self->_convert_rsa if $k_tag eq 'rsa';
516+- return $self->_convert_ed25519 if $k_tag eq 'ed25519';
517+- die 'unsupported key type';
518++ return 1;
519+ }
520+
521+ sub verify {
522+@@ -436,76 +436,67 @@ sub verify_sha1_digest {
523+ return $self->verify_digest( 'SHA-1', $digest, $signature );
524+ }
525+
526+-sub _verify_digest_rsa {
527++# verify_digest() - returns true if the digest verifies, false otherwise
528++#
529++# if false, $@ is set to a description of the problem
530++#
531++sub verify_digest {
532+ my $self = shift;
533+ my ( $digest_algorithm, $digest, $signature ) = @_;
534+
535+- my $rsa_pub = $self->cork;
536+- if ( !$rsa_pub ) {
537+- $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem';
538+- $@ .= ", s=$self->{Selector} d=$self->{Domain}";
539+- return;
540+- }
541+-
542+- $rsa_pub->use_no_padding;
543+- my $verify_result = $rsa_pub->encrypt($signature);
544++ my $k_tag = $self->get_tag('k') || 'rsa';
545+
546+- my $k = $rsa_pub->size;
547+- my $expected = calculate_EM( $digest_algorithm, $digest, $k );
548+- return 1 if ( $verify_result eq $expected );
549++ if ($k_tag eq 'rsa') {
550++ my $rsa_pub = $self->cork;
551++ if ( !$rsa_pub ) {
552++ $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem';
553++ $@ .= ", s=$self->{Selector} d=$self->{Domain}";
554++ return;
555++ }
556+
557+- # well, the RSA verification failed; I wonder if the RSA signing
558+- # was performed on a different digest value? I think we can check...
559++ $rsa_pub->use_no_padding;
560++ my $verify_result = $rsa_pub->encrypt($signature);
561+
562+- # basically, if the $verify_result has the same prefix as $expected,
563+- # then only the digest was different
564++ my $k = $rsa_pub->size;
565++ my $expected = calculate_EM( $digest_algorithm, $digest, $k );
566++ return 1 if ( $verify_result eq $expected );
567+
568+- my $digest_len = length $digest;
569+- my $prefix_len = length($expected) - $digest_len;
570+- if (
571+- substr( $verify_result, 0, $prefix_len ) eq
572+- substr( $expected, 0, $prefix_len ) )
573+- {
574+- $@ = 'message has been altered';
575+- return;
576+- }
577++ # well, the RSA verification failed; I wonder if the RSA signing
578++ # was performed on a different digest value? I think we can check...
579+
580+- $@ = 'bad RSA signature';
581+- return;
582+-}
583++ # basically, if the $verify_result has the same prefix as $expected,
584++ # then only the digest was different
585+
586+-sub _verify_digest_ed25519 {
587+- my $self = shift;
588+- my ( $digest_algorithm, $digest, $signature ) = @_;
589++ my $digest_len = length $digest;
590++ my $prefix_len = length($expected) - $digest_len;
591++ if (
592++ substr( $verify_result, 0, $prefix_len ) eq
593++ substr( $expected, 0, $prefix_len ) )
594++ {
595++ $@ = 'message has been altered';
596++ return;
597++ }
598+
599+- my $ed = $self->cork;
600+- if ( !$ed ) {
601+- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
602+- $@ .= ", s=$self->{Selector} d=$self->{Domain}";
603++ $@ = 'bad RSA signature';
604+ return;
605+- }
606+
607+- my $verify_result = $ed->verify_message($signature, $digest);
608+- return $verify_result if ($verify_result == 1);
609++ } elsif ($k_tag eq 'ed25519') {
610+
611+- $@ = 'bad Ed25519 signature';
612+- return;
613+-}
614++ my $ed = $self->cork;
615++ if ( !$ed ) {
616++ $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
617++ $@ .= ", s=$self->{Selector} d=$self->{Domain}";
618++ return;
619++ }
620+
621+-# verify_digest() - returns true if the digest verifies, false otherwise
622+-#
623+-# if false, $@ is set to a description of the problem
624+-#
625+-sub verify_digest {
626+- my $self = shift;
627+- my ( $digest_algorithm, $digest, $signature ) = @_;
628++ my $verify_result = $ed->verify_message($signature, $digest);
629++ return $verify_result if ($verify_result == 1);
630+
631+- my $k_tag = $self->get_tag('k') || 'rsa';
632++ $@ = 'bad Ed25519 signature';
633++ return;
634++
635++ }
636+
637+- return $self->_verify_digest_rsa($digest_algorithm, $digest, $signature) if $k_tag eq 'rsa';
638+- return $self->_verify_digest_ed25519($digest_algorithm, $digest, $signature) if $k_tag eq 'ed25519';
639+- $@ = 'unsupported key type';
640+- return;
641+ }
642+
643+ 1;
644+--
645+2.40.1
646+
647diff --git a/debian/patches/0003-Revert-set-rsa-ed25519-type.patch b/debian/patches/0003-Revert-set-rsa-ed25519-type.patch
648new file mode 100644
649index 0000000..8e8ded8
650--- /dev/null
651+++ b/debian/patches/0003-Revert-set-rsa-ed25519-type.patch
652@@ -0,0 +1,84 @@
653+From 7f8a91d1c8643967907843e45ee75ca0ae5a2157 Mon Sep 17 00:00:00 2001
654+From: Miriam Espana Acebal <miriam.espana@canonical.com>
655+Date: Fri, 16 Feb 2024 13:15:15 +0100
656+Subject: [PATCH 3/5] Revert "set rsa/ed25519 type"
657+
658+This reverts commit d146356d5f0ec41f796cc40f0db76ba400efe12a.
659+---
660+ lib/Mail/DKIM/PrivateKey.pm | 2 +-
661+ lib/Mail/DKIM/PublicKey.pm | 6 ++----
662+ lib/Mail/DKIM/Signer.pm | 6 +-----
663+ 3 files changed, 4 insertions(+), 10 deletions(-)
664+
665+diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm
666+index 1a9526d..ad98dd2 100644
667+--- a/lib/Mail/DKIM/PrivateKey.pm
668++++ b/lib/Mail/DKIM/PrivateKey.pm
669+@@ -165,7 +165,7 @@ sub sign_digest {
670+ return $rsa_priv->decrypt($EM);
671+
672+ }
673+- elsif ( $self->{'TYPE'} eq 'ed25519' ) {
674++ elsif ( $self->{'TYPE'} eq 'ed25519') {
675+
676+ my $ed = $self->cork;
677+ if ( !$ed ) {
678+diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm
679+index bd45aeb..dce1736 100644
680+--- a/lib/Mail/DKIM/PublicKey.pm
681++++ b/lib/Mail/DKIM/PublicKey.pm
682+@@ -25,7 +25,7 @@ sub new {
683+ $self->{'GRAN'} = $prms{'Granularity'};
684+ $self->{'NOTE'} = $prms{'Note'};
685+ $self->{'TEST'} = $prms{'Testing'};
686+- $self->{'TYPE'} = ( $prms{'Type'} or 'rsa' );
687++ #$self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); # unused
688+ $self->{'DATA'} = $prms{'Data'};
689+
690+ bless $self, $type;
691+@@ -99,9 +99,7 @@ sub fetch_async {
692+ my $self = $class->parse($strn);
693+ $self->{Selector} = $prms{'Selector'};
694+ $self->{Domain} = $prms{'Domain'};
695+- $self->{TYPE} = ( $self->get_tag('k') or 'rsa' );
696+ $self->check;
697+-
698+ return $on_success->($self);
699+ };
700+
701+@@ -286,7 +284,7 @@ sub convert {
702+
703+ # Use different libs subject to k= tag.
704+ # Without k= tag, default to RSA to maintain prior behavior
705+- my $k = ( $self->get_tag('k') or 'rsa' );
706++ my $k = $self->get_tag('k') || 'rsa';
707+ if ( $k eq 'rsa' ) {
708+ use Crypt::OpenSSL::RSA;
709+ }
710+diff --git a/lib/Mail/DKIM/Signer.pm b/lib/Mail/DKIM/Signer.pm
711+index 7aebced..24b5285 100644
712+--- a/lib/Mail/DKIM/Signer.pm
713++++ b/lib/Mail/DKIM/Signer.pm
714+@@ -185,9 +185,6 @@ sub finish_body {
715+ # finished canonicalizing
716+ $algorithm->finish_body;
717+
718+- my $type = 'rsa'; # default
719+- $type = 'ed25519' if ( $self->{'Algorithm'} =~ /^ed25519/ );
720+-
721+ # load the private key file if necessary
722+ my $signature = $algorithm->signature;
723+ my $key =
724+@@ -196,8 +193,7 @@ sub finish_body {
725+ || $self->{Key}
726+ || $self->{KeyFile};
727+ if ( defined($key) && !ref($key) ) {
728+- $key = Mail::DKIM::PrivateKey->load( File => $key,
729+- Type => $type );
730++ $key = Mail::DKIM::PrivateKey->load( File => $key );
731+ }
732+ $key
733+ or die "no key available to sign with\n";
734+--
735+2.40.1
736+
737diff --git a/debian/patches/0004-Revert-added-ed25519-signing-support.patch b/debian/patches/0004-Revert-added-ed25519-signing-support.patch
738new file mode 100644
739index 0000000..7966790
740--- /dev/null
741+++ b/debian/patches/0004-Revert-added-ed25519-signing-support.patch
742@@ -0,0 +1,327 @@
743+From 74064a137e63c028a815eb24dcd8b52c616a08bc Mon Sep 17 00:00:00 2001
744+From: Miriam Espana Acebal <miriam.espana@canonical.com>
745+Date: Fri, 16 Feb 2024 13:15:23 +0100
746+Subject: [PATCH 4/5] Revert "added ed25519 signing support."
747+
748+This reverts commit edd9897ee9208f41035f311d5b8443a5513a6037.
749+---
750+ lib/Mail/DKIM/PrivateKey.pm | 114 +++++++++---------------------------
751+ lib/Mail/DKIM/PublicKey.pm | 12 ++--
752+ lib/Mail/DKIM/Signer.pm | 16 ++---
753+ t/signer.t | 54 +----------------
754+ t/test.ed.key | 3 -
755+ 5 files changed, 38 insertions(+), 161 deletions(-)
756+ delete mode 100644 t/test.ed.key
757+
758+diff --git a/lib/Mail/DKIM/PrivateKey.pm b/lib/Mail/DKIM/PrivateKey.pm
759+index ad98dd2..261f866 100644
760+--- a/lib/Mail/DKIM/PrivateKey.pm
761++++ b/lib/Mail/DKIM/PrivateKey.pm
762+@@ -52,85 +52,42 @@ sub load {
763+
764+
765+ sub convert {
766+- my $self = shift;
767++ use Crypt::OpenSSL::RSA;
768+
769+- # Use different libs subject to key type.
770+- if ( $self->{'TYPE'} eq 'rsa' ) {
771+- use Crypt::OpenSSL::RSA;
772+- }
773+- elsif ( $self->{'TYPE'} eq 'ed25519' ) {
774+- use Crypt::PK::Ed25519;
775+- }
776++ my $self = shift;
777+
778+ $self->data
779+ or return;
780+
781+- if ( $self->{'TYPE'} eq 'rsa' ) {
782+-
783+- # have to PKCS1ify the privkey because openssl is too finicky...
784+- my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n";
785+-
786+- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
787+- $pkcs .= substr $self->data, $i, 64;
788+- $pkcs .= "\n";
789+- }
790+-
791+- $pkcs .= "-----END RSA PRIVATE KEY-----\n";
792+-
793+- my $cork;
794+-
795+- eval {
796+- local $SIG{__DIE__};
797+- $cork = new_private_key Crypt::OpenSSL::RSA($pkcs);
798+- 1
799+- } || do {
800+- $self->errorstr($@);
801+- return;
802+- };
803+-
804+- $cork
805+- or return;
806+-
807+- # segfaults on my machine
808+- # $cork->check_key or
809+- # return;
810+-
811+- $self->cork($cork);
812++ # have to PKCS1ify the privkey because openssl is too finicky...
813++ my $pkcs = "-----BEGIN RSA PRIVATE KEY-----\n";
814+
815++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
816++ $pkcs .= substr $self->data, $i, 64;
817++ $pkcs .= "\n";
818+ }
819+- elsif ( $self->{'TYPE'} eq 'ed25519' ) {
820+- my $cork;
821+
822+- eval {
823+- local $SIG{__DIE__};
824+- $cork = new Crypt::PK::Ed25519;
825++ $pkcs .= "-----END RSA PRIVATE KEY-----\n";
826+
827+- # Prepend/append with PEM boilerplate
828+- my $pem = "-----BEGIN ED25519 PRIVATE KEY-----\n";
829+- $pem .= $self->data;
830+- $pem .= "\n";
831+- $pem .= "-----END ED25519 PRIVATE KEY-----\n";
832++ my $cork;
833+
834+- # Pass PEM text buffer
835+- $cork->import_key(\$pem)
836+- or die 'failed to load Ed25519 private key';
837++ eval {
838++ local $SIG{__DIE__};
839++ $cork = new_private_key Crypt::OpenSSL::RSA($pkcs);
840++ 1
841++ } || do {
842++ $self->errorstr($@);
843++ return;
844++ };
845+
846+- # Alternatively, import_raw_key() could be used,
847+- # but requires the 32-byte key, which must be extracted
848+- # from the ASN.1 structure first.
849+-
850+- 1
851+- } || do {
852+- $self->errorstr($@);
853+- return;
854+- };
855+-
856+- $cork
857+- or return;
858++ $cork
859++ or return;
860+
861+- $self->cork($cork);
862++ # segfaults on my machine
863++ # $cork->check_key or
864++ # return;
865+
866+- }
867++ $self->cork($cork);
868+
869+ return 1;
870+ }
871+@@ -155,27 +112,12 @@ sub sign_digest {
872+ my $self = shift;
873+ my ( $digest_algorithm, $digest ) = @_;
874+
875+- if ( $self->{'TYPE'} eq 'rsa') {
876+-
877+- my $rsa_priv = $self->cork;
878+- $rsa_priv->use_no_padding;
879+-
880+- my $k = $rsa_priv->size;
881+- my $EM = calculate_EM( $digest_algorithm, $digest, $k );
882+- return $rsa_priv->decrypt($EM);
883++ my $rsa_priv = $self->cork;
884++ $rsa_priv->use_no_padding;
885+
886+- }
887+- elsif ( $self->{'TYPE'} eq 'ed25519') {
888+-
889+- my $ed = $self->cork;
890+- if ( !$ed ) {
891+- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
892+- die;
893+- }
894+-
895+- return $ed->sign_message($digest);
896+-
897+- }
898++ my $k = $rsa_priv->size;
899++ my $EM = calculate_EM( $digest_algorithm, $digest, $k );
900++ return $rsa_priv->decrypt($EM);
901+ }
902+
903+ __END__
904+diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm
905+index dce1736..b7b2a49 100644
906+--- a/lib/Mail/DKIM/PublicKey.pm
907++++ b/lib/Mail/DKIM/PublicKey.pm
908+@@ -285,10 +285,9 @@ sub convert {
909+ # Use different libs subject to k= tag.
910+ # Without k= tag, default to RSA to maintain prior behavior
911+ my $k = $self->get_tag('k') || 'rsa';
912+- if ( $k eq 'rsa' ) {
913++ if ($k eq 'rsa') {
914+ use Crypt::OpenSSL::RSA;
915+- }
916+- elsif ( $k eq 'ed25519' ) {
917++ } elsif ($k eq 'ed25519') {
918+ use Crypt::PK::Ed25519;
919+ use MIME::Base64;
920+ }
921+@@ -296,7 +295,7 @@ sub convert {
922+ $self->data
923+ or return;
924+
925+- if ( $k eq 'rsa' ) {
926++ if ($k eq 'rsa') {
927+ # have to PKCS1ify the pubkey because openssl is too finicky...
928+ my $cert = "-----BEGIN PUBLIC KEY-----\n";
929+
930+@@ -316,8 +315,7 @@ sub convert {
931+
932+ $self->cork($cork);
933+
934+- }
935+- elsif ( $k eq 'ed25519' ) {
936++ } elsif ($k eq 'ed25519') {
937+ my $cork = Crypt::PK::Ed25519->new
938+ or die 'unable to generate Ed25519 public key object';
939+
940+@@ -492,9 +490,7 @@ sub verify_digest {
941+
942+ $@ = 'bad Ed25519 signature';
943+ return;
944+-
945+ }
946+-
947+ }
948+
949+ 1;
950+diff --git a/lib/Mail/DKIM/Signer.pm b/lib/Mail/DKIM/Signer.pm
951+index 24b5285..b1d751a 100644
952+--- a/lib/Mail/DKIM/Signer.pm
953++++ b/lib/Mail/DKIM/Signer.pm
954+@@ -61,21 +61,16 @@ sub init {
955+ my $self = shift;
956+ $self->SUPER::init;
957+
958++ if ( defined $self->{KeyFile} ) {
959++ $self->{Key} ||=
960++ Mail::DKIM::PrivateKey->load( File => $self->{KeyFile} );
961++ }
962++
963+ unless ( $self->{'Algorithm'} ) {
964+
965+ # use default algorithm
966+ $self->{'Algorithm'} = 'rsa-sha1';
967+ }
968+-
969+- my $type = 'rsa'; # default
970+- $type = 'ed25519' if ( $self->{'Algorithm'} =~ /^ed25519/ );
971+-
972+- if ( defined $self->{KeyFile} ) {
973+- $self->{Key} ||=
974+- Mail::DKIM::PrivateKey->load( File => $self->{KeyFile},
975+- Type => $type );
976+- }
977+-
978+ unless ( $self->{'Method'} ) {
979+
980+ # use default canonicalization method
981+@@ -91,7 +86,6 @@ sub init {
982+ # use default selector
983+ $self->{'Selector'} = 'unknown';
984+ }
985+-
986+ }
987+
988+ sub finish_header {
989+diff --git a/t/signer.t b/t/signer.t
990+index 7cc4738..203a671 100755
991+--- a/t/signer.t
992++++ b/t/signer.t
993+@@ -2,7 +2,7 @@
994+
995+ use strict;
996+ use warnings;
997+-use Test::Simple tests => 35;
998++use Test::Simple tests => 31;
999+
1000+ use Mail::DKIM::Signer;
1001+
1002+@@ -238,55 +238,3 @@ END_OF_SAMPLE
1003+ ok( $sigstr =~ /subject/i, "subject was signed" );
1004+ ok( $sigstr =~ /from/i, "from was signed" );
1005+ }
1006+-
1007+-{
1008+- my $EXPECTED_RE = qr/4goHxydMueA3ev5toKlGLc7sUrwPG/;
1009+-
1010+- my $tdir = -f "t/test.ed.key" ? "t" : ".";
1011+- my $keyfile = "$tdir/test.ed.key";
1012+- my $dkim = Mail::DKIM::Signer->new(
1013+- Algorithm => "ed25519-sha256",
1014+- Method => "relaxed",
1015+- Domain => "example.org",
1016+- Selector => "test",
1017+- KeyFile => $keyfile
1018+- );
1019+- ok( $dkim, "new() works" );
1020+-
1021+- my $sample_email = <<END_OF_SAMPLE;
1022+-From: alice <alice\@example.org>
1023+-Date: Wed, 12 May 2023 14:00:00 +0200
1024+-Subject: ed25519
1025+-
1026+-this is an elliptic test.
1027+-END_OF_SAMPLE
1028+- $sample_email =~ s/\n/\015\012/gs;
1029+-
1030+- $dkim->PRINT($sample_email);
1031+- $dkim->CLOSE;
1032+-
1033+- my $signature = $dkim->signature;
1034+- ok( $signature, "signature() works" );
1035+-
1036+- print "# signature=" . $signature->as_string . "\n";
1037+- ok( $signature->as_string =~ /$EXPECTED_RE/, "got expected signature value" );
1038+-
1039+- # Modify sample email and sign again
1040+-
1041+- $sample_email =~ s/Wed, 12/Tue, 11/;
1042+- $dkim = Mail::DKIM::Signer->new(
1043+- Algorithm => "ed25519-sha256",
1044+- Method => "relaxed",
1045+- Domain => "example.org",
1046+- Selector => "test",
1047+- KeyFile => $keyfile
1048+- );
1049+- $dkim->PRINT($sample_email);
1050+- $dkim->CLOSE;
1051+-
1052+- $signature = $dkim->signature;
1053+-
1054+- print "# signature=" . $signature->as_string . "\n";
1055+- ok( $signature->as_string !~ /$EXPECTED_RE/, "got expected signature mismatch" );
1056+-
1057+-}
1058+diff --git a/t/test.ed.key b/t/test.ed.key
1059+deleted file mode 100644
1060+index 8e3a9d3..0000000
1061+--- a/t/test.ed.key
1062++++ /dev/null
1063+@@ -1,3 +0,0 @@
1064+------BEGIN PRIVATE KEY-----
1065+-MC4CAQAwBQYDK2VwBCIEIBNq8eB74GQ0uhob9AKDiQFK2vPZy3Rpqw6ec66p3A+m
1066+------END PRIVATE KEY-----
1067+--
1068+2.40.1
1069+
1070diff --git a/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch b/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch
1071new file mode 100644
1072index 0000000..5f2b978
1073--- /dev/null
1074+++ b/debian/patches/0005-Revert-added-support-for-verifying-Ed25519-signature.patch
1075@@ -0,0 +1,578 @@
1076+From 007bf781b0efd2f9f41cd6c259ad02fb488337c6 Mon Sep 17 00:00:00 2001
1077+From: Miriam Espana Acebal <miriam.espana@canonical.com>
1078+Date: Fri, 16 Feb 2024 13:17:00 +0100
1079+Subject: [PATCH 5/5] Revert "added support for *verifying* Ed25519 signatures
1080+ (depends on Crypt::PK::Ed25519)."
1081+
1082+This reverts commit 3aa592be9bff03672e229a7e70abef0a5b302ce7.
1083+---
1084+ HACKING.DKIM | 9 +-
1085+ README.md | 1 -
1086+ lib/Mail/DKIM/Algorithm/ed25519_sha256.pm | 121 ---------------------
1087+ lib/Mail/DKIM/PublicKey.pm | 127 +++++++---------------
1088+ lib/Mail/DKIM/Signature.pm | 11 +-
1089+ lib/Mail/DKIM/Verifier.pm | 17 +--
1090+ t/FAKE_DNS.dat | 2 -
1091+ t/corpus/badkey1_ed25519.txt | 16 ---
1092+ t/corpus/badkey2_ed25519.txt | 16 ---
1093+ t/corpus/badkey3_ed25519.txt | 16 ---
1094+ t/corpus/goodkey_ed25519.txt | 16 ---
1095+ t/verifier.t | 8 +-
1096+ 12 files changed, 57 insertions(+), 303 deletions(-)
1097+ delete mode 100644 lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
1098+ delete mode 100644 t/corpus/badkey1_ed25519.txt
1099+ delete mode 100644 t/corpus/badkey2_ed25519.txt
1100+ delete mode 100644 t/corpus/badkey3_ed25519.txt
1101+ delete mode 100644 t/corpus/goodkey_ed25519.txt
1102+
1103+diff --git a/HACKING.DKIM b/HACKING.DKIM
1104+index 9d8354a..e21ab49 100644
1105+--- a/HACKING.DKIM
1106++++ b/HACKING.DKIM
1107+@@ -30,18 +30,11 @@ New version - update version numbers in these files:
1108+ New algorithm:
1109+ create new algorithm class by copying and editing
1110+ lib/Mail/DKIM/Algorithm/rsa_sha1.pm
1111+- edit lib/Mail/DKIM/Signature.pm:
1112++ edit lib/Mail/DKIM/Common.pm:
1113+ get_algorithm_class() - add a check for your new algorithm and return
1114+ the name of your new algorithm class
1115+ add a "use" line at the top of this file so that your algorithm class
1116+ gets imported
1117+- if the new algorithm uses a different key type (k=), also edit
1118+- lib/Mail/DKIM/PublicKey.pm:
1119+- check()
1120+- convert()
1121+- verify_digest()
1122+- lib/Mail/DKIM/Verifier.pm:
1123+- _check_and_verify_signature()
1124+
1125+ --
1126+
1127+diff --git a/README.md b/README.md
1128+index 5b937a9..cf1dd52 100644
1129+--- a/README.md
1130++++ b/README.md
1131+@@ -30,7 +30,6 @@ DEPENDENCIES
1132+ This module requires these other modules and libraries:
1133+
1134+ Crypt::OpenSSL::RSA
1135+- Crypt::PK::Ed25519
1136+ Digest::SHA
1137+ Mail::Address (part of the MailTools package)
1138+ MIME::Base64
1139+diff --git a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm b/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
1140+deleted file mode 100644
1141+index d97deeb..0000000
1142+--- a/lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
1143++++ /dev/null
1144+@@ -1,121 +0,0 @@
1145+-package Mail::DKIM::Algorithm::ed25519_sha256;
1146+-use strict;
1147+-use warnings;
1148+-# VERSION
1149+-# ABSTRACT: edd2519 sha256 algorithm class
1150+-
1151+-# Copyright 2005-2006 Messiah College. All rights reserved.
1152+-# Jason Long <jlong@messiah.edu>
1153+-
1154+-# Copyright (c) 2004 Anthony D. Urso. All rights reserved.
1155+-# This program is free software; you can redistribute it and/or
1156+-# modify it under the same terms as Perl itself.
1157+-
1158+-use base 'Mail::DKIM::Algorithm::Base';
1159+-use Carp;
1160+-use MIME::Base64;
1161+-use Digest::SHA;
1162+-
1163+-sub init_digests {
1164+- my $self = shift;
1165+-
1166+- # initialize a SHA-256 Digest
1167+- $self->{header_digest} = new Digest::SHA(256);
1168+- $self->{body_digest} = new Digest::SHA(256);
1169+-}
1170+-
1171+-sub sign {
1172+- my $self = shift;
1173+- croak 'wrong number of arguments' unless ( @_ == 1 );
1174+- my ($private_key) = @_;
1175+-
1176+- my $digest = $self->{header_digest}->digest;
1177+- my $signature = $private_key->sign_digest( 'SHA-256', $digest );
1178+-
1179+- return encode_base64( $signature, '' );
1180+-}
1181+-
1182+-sub verify {
1183+- my $self = shift;
1184+- croak 'wrong number of arguments' unless ( @_ == 0 );
1185+-
1186+- my $base64 = $self->signature->data;
1187+- my $public_key = $self->signature->get_public_key;
1188+-
1189+- my $digest = $self->{header_digest}->digest;
1190+- my $sig = decode_base64($base64);
1191+-
1192+- return unless $public_key->verify_digest( 'SHA-256', $digest, $sig );
1193+- return $self->check_body_hash;
1194+-}
1195+-
1196+-sub wants_pre_signature_headers {
1197+- return 1;
1198+-}
1199+-
1200+-1;
1201+-
1202+-__END__
1203+-
1204+-=pod
1205+-
1206+-=encoding UTF-8
1207+-
1208+-=head1 NAME
1209+-
1210+-Mail::DKIM::Algorithm::ed25519_sha256 - ed25519 sha256 algorithm class
1211+-
1212+-=head1 VERSION
1213+-
1214+-version 1.20240124
1215+-
1216+-=head1 AUTHORS
1217+-
1218+-=over 4
1219+-
1220+-=item *
1221+-
1222+-Jason Long <jason@long.name>
1223+-
1224+-=item *
1225+-
1226+-Marc Bradshaw <marc@marcbradshaw.net>
1227+-
1228+-=item *
1229+-
1230+-Bron Gondwana <brong@fastmailteam.com> (ARC)
1231+-
1232+-=back
1233+-
1234+-=head1 THANKS
1235+-
1236+-Work on ensuring that this module passes the ARC test suite was
1237+-generously sponsored by Valimail (https://www.valimail.com/)
1238+-
1239+-=head1 COPYRIGHT AND LICENSE
1240+-
1241+-=over 4
1242+-
1243+-=item *
1244+-
1245+-Copyright (C) 2013 by Messiah College
1246+-
1247+-=item *
1248+-
1249+-Copyright (C) 2010 by Jason Long
1250+-
1251+-=item *
1252+-
1253+-Copyright (C) 2017 by Standcore LLC
1254+-
1255+-=item *
1256+-
1257+-Copyright (C) 2020 by FastMail Pty Ltd
1258+-
1259+-=back
1260+-
1261+-This library is free software; you can redistribute it and/or modify
1262+-it under the same terms as Perl itself, either Perl version 5.8.6 or,
1263+-at your option, any later version of Perl 5 you may have available.
1264+-
1265+-=cut
1266+diff --git a/lib/Mail/DKIM/PublicKey.pm b/lib/Mail/DKIM/PublicKey.pm
1267+index b7b2a49..0080c67 100644
1268+--- a/lib/Mail/DKIM/PublicKey.pm
1269++++ b/lib/Mail/DKIM/PublicKey.pm
1270+@@ -25,7 +25,7 @@ sub new {
1271+ $self->{'GRAN'} = $prms{'Granularity'};
1272+ $self->{'NOTE'} = $prms{'Note'};
1273+ $self->{'TEST'} = $prms{'Testing'};
1274+- #$self->{'TYPE'} = ( $prms{'Type'} or 'rsa' ); # unused
1275++ $self->{'TYPE'} = ( $prms{'Type'} or 'rsa' );
1276+ $self->{'DATA'} = $prms{'Data'};
1277+
1278+ bless $self, $type;
1279+@@ -130,7 +130,7 @@ sub check {
1280+
1281+ # check key type
1282+ if ( my $k = $self->get_tag('k') ) {
1283+- unless ( $k eq 'rsa' || $k eq 'ed25519' ) {
1284++ unless ( $k eq 'rsa' ) {
1285+ die "unsupported key type\n";
1286+ }
1287+ }
1288+@@ -162,9 +162,6 @@ sub check {
1289+ elsif ( $E =~ /^(panic:.*?) at / ) {
1290+ $E = "OpenSSL $1";
1291+ }
1292+- elsif ( $E =~ /^FATAL: (.*) at / ) {
1293+- $E = "Ed25519 $1";
1294+- }
1295+ die "$E\n";
1296+ };
1297+
1298+@@ -280,52 +277,31 @@ sub check_hash_algorithm {
1299+ # found in this public key's DNS record. The OpenSSL object is saved
1300+ # in the "cork" property.
1301+ sub convert {
1302+- my $self = shift;
1303++ use Crypt::OpenSSL::RSA;
1304+
1305+- # Use different libs subject to k= tag.
1306+- # Without k= tag, default to RSA to maintain prior behavior
1307+- my $k = $self->get_tag('k') || 'rsa';
1308+- if ($k eq 'rsa') {
1309+- use Crypt::OpenSSL::RSA;
1310+- } elsif ($k eq 'ed25519') {
1311+- use Crypt::PK::Ed25519;
1312+- use MIME::Base64;
1313+- }
1314++ my $self = shift;
1315+
1316+ $self->data
1317+ or return;
1318+
1319+- if ($k eq 'rsa') {
1320+- # have to PKCS1ify the pubkey because openssl is too finicky...
1321+- my $cert = "-----BEGIN PUBLIC KEY-----\n";
1322+-
1323+- for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
1324+- $cert .= substr $self->data, $i, 64;
1325+- $cert .= "\n";
1326+- }
1327+-
1328+- $cert .= "-----END PUBLIC KEY-----\n";
1329+-
1330+- my $cork = Crypt::OpenSSL::RSA->new_public_key($cert)
1331+- or die 'unable to generate public key object';
1332++ # have to PKCS1ify the pubkey because openssl is too finicky...
1333++ my $cert = "-----BEGIN PUBLIC KEY-----\n";
1334+
1335+- # segfaults on my machine
1336+- # $cork->check_key or
1337+- # return;
1338+-
1339+- $self->cork($cork);
1340++ for ( my $i = 0 ; $i < length $self->data ; $i += 64 ) {
1341++ $cert .= substr $self->data, $i, 64;
1342++ $cert .= "\n";
1343++ }
1344+
1345+- } elsif ($k eq 'ed25519') {
1346+- my $cork = Crypt::PK::Ed25519->new
1347+- or die 'unable to generate Ed25519 public key object';
1348++ $cert .= "-----END PUBLIC KEY-----\n";
1349+
1350+- my $keybin = decode_base64($self->data);
1351+- $cork->import_key_raw($keybin, 'public')
1352+- or die 'failed to load Ed25519 public key';
1353++ my $cork = Crypt::OpenSSL::RSA->new_public_key($cert)
1354++ or die 'unable to generate public key object';
1355+
1356+- $self->cork($cork);
1357++ # segfaults on my machine
1358++ # $cork->check_key or
1359++ # return;
1360+
1361+- }
1362++ $self->cork($cork);
1363+
1364+ return 1;
1365+ }
1366+@@ -440,57 +416,38 @@ sub verify_digest {
1367+ my $self = shift;
1368+ my ( $digest_algorithm, $digest, $signature ) = @_;
1369+
1370+- my $k_tag = $self->get_tag('k') || 'rsa';
1371+-
1372+- if ($k_tag eq 'rsa') {
1373+- my $rsa_pub = $self->cork;
1374+- if ( !$rsa_pub ) {
1375+- $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem';
1376+- $@ .= ", s=$self->{Selector} d=$self->{Domain}";
1377+- return;
1378+- }
1379+-
1380+- $rsa_pub->use_no_padding;
1381+- my $verify_result = $rsa_pub->encrypt($signature);
1382+-
1383+- my $k = $rsa_pub->size;
1384+- my $expected = calculate_EM( $digest_algorithm, $digest, $k );
1385+- return 1 if ( $verify_result eq $expected );
1386+-
1387+- # well, the RSA verification failed; I wonder if the RSA signing
1388+- # was performed on a different digest value? I think we can check...
1389+-
1390+- # basically, if the $verify_result has the same prefix as $expected,
1391+- # then only the digest was different
1392+-
1393+- my $digest_len = length $digest;
1394+- my $prefix_len = length($expected) - $digest_len;
1395+- if (
1396+- substr( $verify_result, 0, $prefix_len ) eq
1397+- substr( $expected, 0, $prefix_len ) )
1398+- {
1399+- $@ = 'message has been altered';
1400+- return;
1401+- }
1402+-
1403+- $@ = 'bad RSA signature';
1404++ my $rsa_pub = $self->cork;
1405++ if ( !$rsa_pub ) {
1406++ $@ = $@ ne '' ? "RSA failed: $@" : 'RSA unknown problem';
1407++ $@ .= ", s=$self->{Selector} d=$self->{Domain}";
1408+ return;
1409++ }
1410+
1411+- } elsif ($k_tag eq 'ed25519') {
1412++ $rsa_pub->use_no_padding;
1413++ my $verify_result = $rsa_pub->encrypt($signature);
1414+
1415+- my $ed = $self->cork;
1416+- if ( !$ed ) {
1417+- $@ = $@ ne '' ? "Ed25519 failed: $@" : 'Ed25519 unknown problem';
1418+- $@ .= ", s=$self->{Selector} d=$self->{Domain}";
1419+- return;
1420+- }
1421++ my $k = $rsa_pub->size;
1422++ my $expected = calculate_EM( $digest_algorithm, $digest, $k );
1423++ return 1 if ( $verify_result eq $expected );
1424+
1425+- my $verify_result = $ed->verify_message($signature, $digest);
1426+- return $verify_result if ($verify_result == 1);
1427++ # well, the RSA verification failed; I wonder if the RSA signing
1428++ # was performed on a different digest value? I think we can check...
1429+
1430+- $@ = 'bad Ed25519 signature';
1431++ # basically, if the $verify_result has the same prefix as $expected,
1432++ # then only the digest was different
1433++
1434++ my $digest_len = length $digest;
1435++ my $prefix_len = length($expected) - $digest_len;
1436++ if (
1437++ substr( $verify_result, 0, $prefix_len ) eq
1438++ substr( $expected, 0, $prefix_len ) )
1439++ {
1440++ $@ = 'message has been altered';
1441+ return;
1442+ }
1443++
1444++ $@ = 'bad RSA signature';
1445++ return;
1446+ }
1447+
1448+ 1;
1449+diff --git a/lib/Mail/DKIM/Signature.pm b/lib/Mail/DKIM/Signature.pm
1450+index 7beb5e9..0504329 100644
1451+--- a/lib/Mail/DKIM/Signature.pm
1452++++ b/lib/Mail/DKIM/Signature.pm
1453+@@ -14,7 +14,6 @@ our $VERSION = '1.20240124'; # VERSION
1454+ use Mail::DKIM::PublicKey;
1455+ use Mail::DKIM::Algorithm::rsa_sha1;
1456+ use Mail::DKIM::Algorithm::rsa_sha256;
1457+-use Mail::DKIM::Algorithm::ed25519_sha256;
1458+
1459+ use base 'Mail::DKIM::KeyValueList';
1460+ use Carp;
1461+@@ -83,6 +82,14 @@ sub wantheader {
1462+ return;
1463+ }
1464+
1465++=head2 algorithm() - get or set the algorithm (a=) field
1466++
1467++The algorithm used to generate the signature. Should be either "rsa-sha1",
1468++an RSA-signed SHA-1 digest, or "rsa-sha256", an RSA-signed SHA-256 digest.
1469++
1470++See also hash_algorithm().
1471++
1472++=cut
1473+
1474+ sub algorithm {
1475+ my $self = shift;
1476+@@ -343,7 +350,6 @@ sub get_algorithm_class {
1477+ my $class =
1478+ $algorithm eq 'rsa-sha1' ? 'Mail::DKIM::Algorithm::rsa_sha1'
1479+ : $algorithm eq 'rsa-sha256' ? 'Mail::DKIM::Algorithm::rsa_sha256'
1480+- : $algorithm eq 'ed25519-sha256' ? 'Mail::DKIM::Algorithm::ed25519_sha256'
1481+ : undef;
1482+ return $class;
1483+ }
1484+@@ -426,7 +432,6 @@ sub hash_algorithm {
1485+ return
1486+ $algorithm eq 'rsa-sha1' ? 'sha1'
1487+ : $algorithm eq 'rsa-sha256' ? 'sha256'
1488+- : $algorithm eq 'ed25519-sha256' ? 'sha256'
1489+ : undef;
1490+ }
1491+
1492+diff --git a/lib/Mail/DKIM/Verifier.pm b/lib/Mail/DKIM/Verifier.pm
1493+index 8dfa65b..c1ca743 100644
1494+--- a/lib/Mail/DKIM/Verifier.pm
1495++++ b/lib/Mail/DKIM/Verifier.pm
1496+@@ -348,15 +348,11 @@ sub _check_and_verify_signature {
1497+ return ( 'invalid', $self->{signature_reject_reason} );
1498+ }
1499+
1500+- # special handling for RSA signatures
1501+- my $k = $pkey->get_tag('k') || 'rsa';
1502+- if ($k eq 'rsa') {
1503+- # make sure key is big enough
1504+- my $keysize = $pkey->cork->size * 8; # in bits
1505+- if ( $keysize < 1024 && $self->{Strict} ) {
1506+- $self->{signature_reject_reason} = "Key length $keysize too short";
1507+- return ( 'fail', $self->{signature_reject_reason} );
1508+- }
1509++ # make sure key is big enough
1510++ my $keysize = $pkey->cork->size * 8; # in bits
1511++ if ( $keysize < 1024 && $self->{Strict} ) {
1512++ $self->{signature_reject_reason} = "Key length $keysize too short";
1513++ return ( 'fail', $self->{signature_reject_reason} );
1514+ }
1515+
1516+ # verify signature
1517+@@ -377,9 +373,6 @@ sub _check_and_verify_signature {
1518+ elsif ( $E =~ /^(panic:.*?) at / ) {
1519+ $E = "OpenSSL $1";
1520+ }
1521+- elsif ( $E =~ /^FATAL: (.*) at / ) {
1522+- $E = "Ed25519 $1";
1523+- }
1524+ $result = 'fail';
1525+ $details = $E;
1526+ };
1527+diff --git a/t/FAKE_DNS.dat b/t/FAKE_DNS.dat
1528+index 22e24da..e1683da 100644
1529+--- a/t/FAKE_DNS.dat
1530++++ b/t/FAKE_DNS.dat
1531+@@ -24,5 +24,3 @@ foo._domainkey.vmt2.cis.att.net v=DKIM1; k=rsa; n=send%20comments%20to%20tony%4
1532+ nonexistent._domainkey.messiah.edu NXDOMAIN
1533+ test3._domainkey.blackhole.messiah.edu ~~Query timed out~~
1534+ test3._domainkey.blackhole2.messiah.edu ~~SERVFAIL~~
1535+-2023-05-ed25519._domainkey.wander.science v=DKIM1; k=ed25519; p=pP+YUyRjAvKha4Oc49KAY703oLUS1NLMEuGD3IHMKww=
1536+-invalid._domainkey.wander.science v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEA3SUqa9UbfciWkk7tlcJ9P1VD5pXAasg0JUn/OgjVbKE=
1537+diff --git a/t/corpus/badkey1_ed25519.txt b/t/corpus/badkey1_ed25519.txt
1538+deleted file mode 100644
1539+index 48dca6c..0000000
1540+--- a/t/corpus/badkey1_ed25519.txt
1541++++ /dev/null
1542+@@ -1,16 +0,0 @@
1543+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
1544+- d=wander.science; s=invalid; h=Subject:Content-Transfer-Encoding:
1545+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
1546+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
1547+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
1548+- ==;
1549+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
1550+-Date: Wed, 10 May 2023 21:54:21 +0200
1551+-MIME-Version: 1.0
1552+-To: echo@mail.town
1553+-From: mail@wander.science
1554+-Content-Type: text/plain; charset=UTF-8; format=flowed
1555+-Content-Transfer-Encoding: 7bit
1556+-Subject: Test ed25519
1557+-
1558+-The public key is invalid (wrong key length).
1559+diff --git a/t/corpus/badkey2_ed25519.txt b/t/corpus/badkey2_ed25519.txt
1560+deleted file mode 100644
1561+index bbb0d6b..0000000
1562+--- a/t/corpus/badkey2_ed25519.txt
1563++++ /dev/null
1564+@@ -1,16 +0,0 @@
1565+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
1566+- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding:
1567+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
1568+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
1569+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
1570+- ==;
1571+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
1572+-Date: Wed, 10 May 2023 21:54:21 +0200
1573+-MIME-Version: 1.0
1574+-To: echo@mail.town
1575+-From: mail@wander.science
1576+-Content-Type: text/plain; charset=UTF-8; format=flowed
1577+-Content-Transfer-Encoding: 7bit
1578+-Subject: Test ed25519 wrong signature - subject modified
1579+-
1580+-This is an elliptic test.
1581+diff --git a/t/corpus/badkey3_ed25519.txt b/t/corpus/badkey3_ed25519.txt
1582+deleted file mode 100644
1583+index 02ea252..0000000
1584+--- a/t/corpus/badkey3_ed25519.txt
1585++++ /dev/null
1586+@@ -1,16 +0,0 @@
1587+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
1588+- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding:
1589+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
1590+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
1591+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
1592+- ==;
1593+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
1594+-Date: Wed, 10 May 2023 21:54:21 +0200
1595+-MIME-Version: 1.0
1596+-To: echo@mail.town
1597+-From: mail@wander.science
1598+-Content-Type: text/plain; charset=UTF-8; format=flowed
1599+-Content-Transfer-Encoding: 7bit
1600+-Subject: Test ed25519
1601+-
1602+-Signature invalid - body modified.
1603+diff --git a/t/corpus/goodkey_ed25519.txt b/t/corpus/goodkey_ed25519.txt
1604+deleted file mode 100644
1605+index 42c2eb3..0000000
1606+--- a/t/corpus/goodkey_ed25519.txt
1607++++ /dev/null
1608+@@ -1,16 +0,0 @@
1609+-DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
1610+- d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding:
1611+- Content-Type:From:To:MIME-Version:Date:Message-ID:In-Reply-To:Cc:References:
1612+- Sender:Reply-To; bh=P//FppzGgSSJDjYgpnZ255T9+DxXvu14MiedTEyE5UY=; b=85mI8hH/s
1613+- TYf2w8vAF3BKeRs/7EMD8yGrrekJNcoZ8LxDd3RnpejvsG43I6vryFIx6xFmVSx65+zmxXu9/kvDg
1614+- ==;
1615+-Message-ID: <505c05af-3dd2-be13-df41-464353251933@wander.science>
1616+-Date: Wed, 10 May 2023 21:54:21 +0200
1617+-MIME-Version: 1.0
1618+-To: echo@mail.town
1619+-From: mail@wander.science
1620+-Content-Type: text/plain; charset=UTF-8; format=flowed
1621+-Content-Transfer-Encoding: 7bit
1622+-Subject: Test ed25519
1623+-
1624+-This is an elliptic test.
1625+diff --git a/t/verifier.t b/t/verifier.t
1626+index 90320d4..b1b1e28 100755
1627+--- a/t/verifier.t
1628++++ b/t/verifier.t
1629+@@ -2,7 +2,7 @@
1630+
1631+ use strict;
1632+ use warnings;
1633+-use Test::More tests => 109;
1634++use Test::More tests => 105;
1635+
1636+ use Mail::DKIM::Verifier;
1637+
1638+@@ -162,12 +162,6 @@ test_email( "badkey_15.txt", "invalid" ); # dns error (SERVFAIL)
1639+ ok( $dkim->result_detail =~ /public key/, "detail mentions public key" );
1640+ ok( $dkim->result_detail =~ /dns.*SERVFAIL/i, "type of dns failure" );
1641+
1642+-# test ed25519
1643+-test_email( "goodkey_ed25519.txt", "pass" );
1644+-test_email( "badkey1_ed25519.txt", "invalid" ); # key has invalid length
1645+-test_email( "badkey2_ed25519.txt", "fail" ); # header modified
1646+-test_email( "badkey3_ed25519.txt", "fail" ); # body modified
1647+-
1648+ sub read_file {
1649+ my $srcfile = shift;
1650+ open my $fh, "<", $srcfile
1651+--
1652+2.40.1
1653+
1654diff --git a/debian/patches/0006-Revert-Debian-support-for-ed25519.patch b/debian/patches/0006-Revert-Debian-support-for-ed25519.patch
1655new file mode 100644
1656index 0000000..1ae3d6d
1657--- /dev/null
1658+++ b/debian/patches/0006-Revert-Debian-support-for-ed25519.patch
1659@@ -0,0 +1,93 @@
1660+From 2ff36de8102d340f4b2f25fc538891049af1692b Mon Sep 17 00:00:00 2001
1661+From: Miriam Espana Acebal <miriam.espana@canonical.com>
1662+Date: Thu, 15 Feb 2024 16:50:10 +0100
1663+Subject: [PATCH] Revert-Debian-support-for-ed25519
1664+
1665+Reverting partially commit b0358e44077951cabd3f27ad99473ef3bd778e67 from Debian,
1666+just removing perl dependencies and files related to ed25519 in 1.20230630-1.
1667+---
1668+ MANIFEST | 7 -------
1669+ META.json | 1 -
1670+ META.yml | 1 -
1671+ Makefile.PL | 2 --
1672+ 4 files changed, 11 deletions(-)
1673+
1674+diff --git a/MANIFEST b/MANIFEST
1675+index edf3b5f..067c052 100644
1676+--- a/MANIFEST
1677++++ b/MANIFEST
1678+@@ -23,7 +23,6 @@ lib/Mail/DKIM/ARC/Signer.pm
1679+ lib/Mail/DKIM/ARC/Verifier.pm
1680+ lib/Mail/DKIM/Algorithm/Base.pm
1681+ lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
1682+-lib/Mail/DKIM/Algorithm/ed25519_sha256.pm
1683+ lib/Mail/DKIM/Algorithm/rsa_sha1.pm
1684+ lib/Mail/DKIM/Algorithm/rsa_sha256.pm
1685+ lib/Mail/DKIM/AuthorDomainPolicy.pm
1686+@@ -83,11 +82,6 @@ t/corpus/bad_dk_5.txt
1687+ t/corpus/bad_ietf01_1.txt
1688+ t/corpus/bad_ietf01_2.txt
1689+ t/corpus/bad_ietf01_3.txt
1690+-t/corpus/badkey1_ed25519.txt
1691+-t/corpus/badkey2_ed25519.txt
1692+-t/corpus/badkey3_ed25519.txt
1693+-t/corpus/badkey4_ed25519.txt
1694+-t/corpus/badkey5_ed25519.txt
1695+ t/corpus/badkey_1.txt
1696+ t/corpus/badkey_10.txt
1697+ t/corpus/badkey_11.txt
1698+@@ -133,7 +127,6 @@ t/corpus/goodkey_1.txt
1699+ t/corpus/goodkey_2.txt
1700+ t/corpus/goodkey_3.txt
1701+ t/corpus/goodkey_4.txt
1702+-t/corpus/goodkey_ed25519.txt
1703+ t/corpus/ignore_1.txt
1704+ t/corpus/ignore_2.txt
1705+ t/corpus/ignore_3.txt
1706+diff --git a/META.json b/META.json
1707+index 0491f11..557b36e 100644
1708+--- a/META.json
1709++++ b/META.json
1710+@@ -31,7 +31,6 @@
1711+ "requires" : {
1712+ "Carp" : "0",
1713+ "Crypt::OpenSSL::RSA" : "0",
1714+- "Crypt::PK::Ed25519" : "0",
1715+ "Digest::SHA" : "0",
1716+ "MIME::Base64" : "0",
1717+ "Mail::Address" : "0",
1718+diff --git a/META.yml b/META.yml
1719+index 9a226c5..240ba76 100644
1720+--- a/META.yml
1721++++ b/META.yml
1722+@@ -24,7 +24,6 @@ name: Mail-DKIM
1723+ requires:
1724+ Carp: '0'
1725+ Crypt::OpenSSL::RSA: '0'
1726+- Crypt::PK::Ed25519: '0'
1727+ Digest::SHA: '0'
1728+ MIME::Base64: '0'
1729+ Mail::Address: '0'
1730+diff --git a/Makefile.PL b/Makefile.PL
1731+index d36be4e..43ab54e 100644
1732+--- a/Makefile.PL
1733++++ b/Makefile.PL
1734+@@ -19,7 +19,6 @@ my %WriteMakefileArgs = (
1735+ "PREREQ_PM" => {
1736+ "Carp" => 0,
1737+ "Crypt::OpenSSL::RSA" => 0,
1738+- "Crypt::PK::Ed25519" => 0,
1739+ "Digest::SHA" => 0,
1740+ "MIME::Base64" => 0,
1741+ "Mail::Address" => 0,
1742+@@ -50,7 +49,6 @@ my %WriteMakefileArgs = (
1743+ my %FallbackPrereqs = (
1744+ "Carp" => 0,
1745+ "Crypt::OpenSSL::RSA" => 0,
1746+- "Crypt::PK::Ed25519" => 0,
1747+ "Data::Dumper" => 0,
1748+ "Digest::SHA" => 0,
1749+ "MIME::Base64" => 0,
1750+--
1751+2.40.1
1752+
1753diff --git a/debian/patches/series b/debian/patches/series
1754new file mode 100644
1755index 0000000..6e5e0f9
1756--- /dev/null
1757+++ b/debian/patches/series
1758@@ -0,0 +1,6 @@
1759+0001-Revert-Ed25519-Add-test-for-missing-public-key.patch
1760+0002-Revert-Refactor-and-cleanup-some-ed25519-code.patch
1761+0003-Revert-set-rsa-ed25519-type.patch
1762+0004-Revert-added-ed25519-signing-support.patch
1763+0005-Revert-added-support-for-verifying-Ed25519-signature.patch
1764+0006-Revert-Debian-support-for-ed25519.patch

Subscribers

People subscribed via source and target branches