Help Needed: HTTP Signatures

request-target looks wrong. I expect it should just be /inbox

host is the server that you are sending to. I don’t know about other instances, but Epicyon rejects anything addressed to localhost except if it is running unit tests.

The date is also important. There is a recency check to test that the post was sent within the last few minutes. 2018 is obviously older than that. This check is to avoid replay attacks.

Of course, none of the above is documented in the ActivityPub specification, and some people will fervently argue that this type of details should remain undocumented.

1 Like

what fun would a puzzle be with the solution next to it.

1 Like

the date isn’t inspected by

openssl dgst \
  -sha256 \
  -verify "public.pem" \
  -signature "/tmp/sig.bin" \

which fails to verify.

I meanwhile found the referred to peertube test PeerTube/helpers.ts at 5d2fd66ab4a75281dab6363ba9131adee7be3a2b · Chocobozzz/PeerTube · GitHub to use /accounts/ronan/inbox

I am not sure that will work. The cipher used is very specific. PKCS1v15

I dont think HTTP signatures are part of Activitypub, the proper spec is here.


I found a funny remark via Security - Mastodon documentation at the linked – it starts with the words

This is an experimental vocabulary and is not intended for use in production systems by non-experts.

:tada: meanwhile the verification of the peertube test fixtures signatures is ok!

However, the real-world EU peertube still rejects my ‘Like’ with an 'ActivityPub signature could not be checked'. I suspect the profile json is the culprit but am lost .

@chocobozzz, your assistence is highly appreciated.

Do you have webfinger working? The peertube instance might be using that to look up your actor and retrieve the public key for verification.

there is one peertube GET (the mentioned profile json) with 200 Ok. Nothing else in the webserver logs.

Also check for any stray end of line characters in the content being signed.

happened here verify signature from peertube test fixture ok. · ac5a6a2ce9 - activitypub - and parent

I mentioned the very link a few comments above a day ago.

It’s unclear whether the header is ascii encoded before sha256

Which header? I’m not aware of any HTTP headers that support non-ASCII character sets. The encoding of a header is defined by the header itself though, the HTTP Signature spec just references the “header value” which has already been encoded by the relevant HTTP client library. So if you have a conforming HTTP client library, you shouldn’t have to worry about encoding. (See RFC 7230 § 3.2.4 - Field Parsing)

Thanks for your help!

solved, see


‘solved’ was a fallacy. Currently, it puzzlingly fails with requests such as:

(request-target): post /user/1/inbox.json
date: Thu, 21 Jul 2022 10:19:19 GMT
digest: SHA-256=olrkFelf87xqs/N2gg2Vlmd3s0ns7l47tPSQipyrYxs=
content-type: application/activity+json
signature: keyId="",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="gGbfGZqVMT/Md8ix3/25l+jULXps2PfRQtr7S+t4QyV0Ubi6JBk+qHgej0GOJ0R/5jAWy0hRA7jmF0g/VIvCcWf9TdnSNFXmDc7q5dkzl7wwaRm+ER8UkiqC+y4f80RNa8Xer/cPD2z0zMe7bg8xSTTSwZOq3jf/N1y1VjaysRlcX+qgBTjNEzGy5RLetaeibxg+80LcioVPfu9QL5lHw2U+959wXxzqZx3r8Tv1ggqOGi2+WuFC6X4fTdh49+KdCw7tyHpKnIyzQ19WehqFvLQqesKS/T0OCiRmgKOsemwfIzLTU91W94pcPJnY3fJ2zjySpqj17TbUdLp3JoTwyw=="
Accept: application/activity+json
User-Agent: Seppo/0.1

{"type":"Like","@context":"","id":"","summary":"That's the way, aha, aha, I Like it.","published":"2022-07-21T10:19:19-00:00","actor":"","to":[""],"cc":[""],"object":""}

Have opened but peertube, mastodon, lemmy, pleroma, pixelfed fail likewise. Some without response, some with ‘ok’, some with ‘500’, some with ‘403’.

fixed a case typo, works now.

see also at lemmy & federtion thread