base.m4 (dkim_sign_headers): Oversign the headers we're interested in.

Adds some stunt Exim expansion to count how many instances of each
header there are in the message and add extra entry for each one into
the list plus an extra to catch any additional header added later.

This also has the happy side-effect of trimming spaces from the incoming
list items.

diff --git a/base.m4 b/base.m4
index 0620a9b..1b671ef 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -451,8 +451,20 @@ m4_define(<:DKIM_SIGN:>,
                        {CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
        dkim_canon = relaxed
        dkim_strict = true
-       dkim_sign_headers = CONF_dkim_headers:\
-               X-CONF_header_token-DKIM-Key-Publication
+       ## The following ridiculous stunt does two important jobs.  Firstly,
+       ## and more obviously, it arranges to include one more copy of each
+       ## header name than the message actually contains, thereby causing
+       ## the signature to fail if another header with the same name is
+       ## added.  And secondly, and far more subtly, it also trims the
+       ## spaces from the header names so that they're in the format that
+       ## the signing machinery secretly wants.
+       dkim_sign_headers = \
+               ${sg {${map {CONF_dkim_headers : \
+                            X-CONF_header_token-DKIM-Key-Publication} \
+                           {$item${sg {${expand:\$h_$item:}\n} \
+                                      {((?:[^\n]+|\n\\s+)*)\n} \
+                                      {:$item}}}}} \
+                    {::}{:}}
        headers_add = \
                ${if DKIM_SIGN_P \
                        {DKIM_KEYS_INFO(<:m4_dnl