From: Murray S. K. <ms...@se...> - 2005-10-04 17:28:37
|
dk-milter has some debugging stuff that can help figure out what's going wrong with verification. Before you send your message to SM to test, set the environment variable DKDEBUG to "c", and restart the filter. This will cause libdk to leave temporary files in /var/tmp after canonicalization, so you will see the data that actually gets signed. Then if SM does the same thing on his side, you get the data that actually gets verified. Then if you diff the two, you'll see what's different between them. If there's nothing different, there's probably a key mismatch or something of that ilk. If there's something different, you can see what got munged between the sign and verify operations, and from that deduce what's going wrong. The usual culprit is a header being added or modified in transit, possibly even by a second milter running on the signing server. |