I’m kind of stuck when trying to send an “Accept” request back to a Mastodon user’s inbox after receiving a “Follow” request. Based on my server logs, Mastodon has no problem finding my user’s profile through webfinger, and sending a Follow request to my user’s inbox. However, I am getting the error "“Public key not found for key …” back from Mastodon.
I’ve tried looking at various implementations of how people set up their user profile responses, but it doesn’t seem like I am making any progress into understanding this error after 2 days.
And here’s the Signature that I am sending over with the Follow request:
keyId="https://mydomain.com/users/victorneo#main-key",headers="(request-target) host date digest",signature="..."
As far as I can tell, #main-key is in my profile response, so that should work… unless Mastodon returns “Public key not found for key …” for some other type of errors as well?
If it also doesn’t work on other accounts then it’s probably a http signature bug. One thing to note is that you can’t just use a generic signature library, since Mastodon uses an older incompatible draft.
Webfinger. Mastodon really likes doing webfinger requests for no good reason (even when it already has the complete actor object right here), and fails if that doesn’t work. I’ve been through this at least once.
In other words, if you want to federate with Mastodon, a working /.well-known/webfinger endpoint is mandatory.
Pleroma for instance has a laxer requirement, but that also leads to funky things when there is a clash (see lemmy’s “compatibility” with pleroma, which ends up renaming clashing usernames in an unpredictable way when a community and a user share the same name)
as for debugging, unfortunately, Mastodon’s output is quite limited; but if you run your own Mastodon instance, you could try applying https://github.com/mastodon/mastodon/pull/15605 and see if you get more debug information
What we are doing for user identifiers (@user@example.com) is to combine preferredUsername and the domain in the frontend and for mentions. That means webfinger is completely optional, and is only used when a user explicitly searches for an identifier. This could lead to problems if other software has multiple actors with the same name. But so far I havent heard about any besides Lemmy.
It would certainly be good if we could find a sensible, common way to handle this. Unique usernames are just not a real option for us.
I have tried to post to other mastodon instances, and it can find the public key for now. I guess I’ve changed my id and there was caching problem.
But, I still have a verification error: Verification failed for … using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256). I don’t understand it is connected with my public key or not?