"Public key not found for key ..."

I’m kind of stuck when trying to send an “Accept” request back to a Mastodon user’s inbox after receiving a “Follow” request. Based on my server logs, Mastodon has no problem finding my user’s profile through webfinger, and sending a Follow request to my user’s inbox. However, I am getting the error "“Public key not found for key …” back from Mastodon.

I’ve tried looking at various implementations of how people set up their user profile responses, but it doesn’t seem like I am making any progress into understanding this error after 2 days.

Here’s my user profile:

{'@context': ['https://www.w3.org/ns/activitystreams',
  'https://w3id.org/security/v1'],
 'type': 'Person',
 'id': 'https://mydomain.com/users/victorneo',
 'followers': 'https://mydomain.com/users/victorneo/followers',
 'inbox': 'https://mydomain.com/users/victorneo/inbox',
 'preferredUsername': 'victorneo',
 'publicKey': {'id': 'https://mydomain.com/users/victorneo#main-key',
  'owner': 'https://mydomain.com/users/victorneo',
  'publicKeyPem': '-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\n'}}

And here’s the Signature that I am sending over with the Follow request:

keyId="https://mydomain.com/users/victorneo#main-key",headers="(request-target) host date digest",signature="..."

As far as I can tell, #main-key is in my profile response, so that should work… unless Mastodon returns “Public key not found for key …” for some other type of errors as well?

It might be that it’s in secure mode and expecting your instance actor signature on the Accept.

Hmm, I am following this repo’s way of doing things, which as far as I know works on Mastodon, and i am sending the signature on Accept as well: https://github.com/dariusk/express-activitypub/blob/879ca300ce16aac812f204faa1b05948db87ed32/routes/inbox.js#L27

If it also doesn’t work on other accounts then it’s probably a http signature bug. One thing to note is that you can’t just use a generic signature library, since Mastodon uses an older incompatible draft.

Hmmm, that could be the case.

Let me take another look at how I am generating the signatures when time permits. Thanks!

Webfinger. Mastodon really likes doing webfinger requests for no good reason (even when it already has the complete actor object right here), and fails if that doesn’t work. I’ve been through this at least once.

In other words, if you want to federate with Mastodon, a working /.well-known/webfinger endpoint is mandatory.

1 Like

The reasons Mastodon requires webfinger are documented here: https://github.com/mastodon/mastodon/issues/17030
TL;DR: it’s to ensure a mapping between a @foo@bar handle and an AP actor

Pleroma for instance has a laxer requirement, but that also leads to funky things when there is a clash (see lemmy’s “compatibility” with pleroma, which ends up renaming clashing usernames in an unpredictable way when a community and a user share the same name)

as for debugging, unfortunately, Mastodon’s output is quite limited; but if you run your own Mastodon instance, you could try applying https://github.com/mastodon/mastodon/pull/15605 and see if you get more debug information

2 Likes

What we are doing for user identifiers (@user@example.com) is to combine preferredUsername and the domain in the frontend and for mentions. That means webfinger is completely optional, and is only used when a user explicitly searches for an identifier. This could lead to problems if other software has multiple actors with the same name. But so far I havent heard about any besides Lemmy.

It would certainly be good if we could find a sensible, common way to handle this. Unique usernames are just not a real option for us.

1 Like