Help Needed: HTTP Signatures

Currently I try to figure how to do the simplest s2s activity I can think of, a ‘Like’ and utterly fail.

I can’t find how to properly sign as neither the example by Eugen Rochko , Jun 23, 2018 nor noseing around in the sources of mastodon, peertube, lemmy or pixelfed brought success.

Could you have a look at line 79ff of https://codeberg.org/mro/activitypub/src/branch/master/note.sh#L79 and hint me how to do it right?

P.S.: the profile json is https://codeberg.org/mro/activitypub/src/branch/master/note.sh.profile.tpl

@bashrc how did you know which headers to pick at epicyon/httpsig.py at main - epicyon - Codeberg.org

Originally I looked at the python code of Little Boxes, and used that as a starting point.

In addition to the signature header you will need to set Host and probably User-Agent. The receiving side may also look back and try to check your actor.

with the help of Signing HTTP Messages I got so fas as peertube to fetch the profile json from https://demo.mro.name/activitypub/u/alice/ but complaining 'ActivityPub signature could not be checked'.

@chocobozzz I found PeerTube/http-signature.json at 8a2166c9bfa452ce707740d99c64d668cd7cedce · Chocobozzz/PeerTube · GitHub and wonder what got signed. Tried

(request-target): post /users/ronan2/inbox
host: localhost
date: Mon, 22 Oct 2018 13:34:22 GMT
digest: SHA-256=FEr5j2WSSfdEMcG3NTOXuGU0lUchfTJx4+BtUlWOwDk=
content-type: application/activity+json

but that doesn’t verify (see activitypub/test.sh at master - activitypub - Codeberg.org)

What should it rather be?

request-target looks wrong. I expect it should just be /inbox

host is the server that you are sending to. I don’t know about other instances, but Epicyon rejects anything addressed to localhost except if it is running unit tests.

The date is also important. There is a recency check to test that the post was sent within the last few minutes. 2018 is obviously older than that. This check is to avoid replay attacks.

Of course, none of the above is documented in the ActivityPub specification, and some people will fervently argue that this type of details should remain undocumented.

what fun would a puzzle be with the solution next to it.

the date isn’t inspected by

openssl dgst \
  -sha256 \
  -verify "public.pem" \
  -signature "/tmp/sig.bin" \
  "/tmp/payload"

which fails to verify.

I meanwhile found the referred to peertube test PeerTube/helpers.ts at 5d2fd66ab4a75281dab6363ba9131adee7be3a2b · Chocobozzz/PeerTube · GitHub to use /accounts/ronan/inbox

I am not sure that will work. The cipher used is very specific. PKCS1v15

I dont think HTTP signatures are part of Activitypub, the proper spec is here.

I found a funny remark via Security - Mastodon documentation at the linked https://w3c-dvcg.github.io/http-signatures/ – it starts with the words

This is an experimental vocabulary and is not intended for use in production systems by non-experts.

meanwhile the verification of the peertube test fixtures signatures is ok!

However, the real-world EU peertube still rejects my ‘Like’ with an 'ActivityPub signature could not be checked'. I suspect the profile json is the culprit but am lost .

@chocobozzz, your assistence is highly appreciated.

Do you have webfinger working? The peertube instance might be using that to look up your actor and retrieve the public key for verification.

there is one peertube GET (the mentioned profile json) with 200 Ok. Nothing else in the webserver logs.

Also check for any stray end of line characters in the content being signed.

happened here verify signature from peertube test fixture ok. · ac5a6a2ce9 - activitypub - Codeberg.org and parent

I mentioned the very link a few comments above a day ago.