Stuck on HTTP signatures

Ok, I’m stuck at the http signatures bit. I’m trying to reply to a toot I made and I just get a 401 Unauthorized response, not very informative!

I’m pretty sure I’ve got (almost) everything right, the code is based on this nice simple example:

Should this still work?

Here’s what I’m POSTing to the remote server inbox via fetch() options (based on the Ruby example above):

  method: 'POST',
  headers: {
    Host: '',
    Date: 'Thu, 21 Dec 2023 04:40:16 GMT',
    Signature: 'keyId="",headers="(request-target) host date",signature="SDKa6ckF2lJ1B0DL7Lk5E6PXJ8dEeE0zOgnl/x6YEbY19AsX2Ix4uZ91hj4q5gYJ3FDzRbh9z7/QW4H3vMbUBRx8lJNeo2PFlCoPFsCEt1C6TupBs2h900ROTfvLO1CJoa3vfF/6E2NpjX3JfuZu1ZU3h30BOpxVhy6oZZPJjqcpMsVGLXgRC7dRfvNk5LE+kSUdX7yfhVTaKPSuEfxN/giEb0WHCoRp6XVPAzjkL2M6rtmcyhIMlj8+jgvhSp4E8wtZ355Uik0isPj2aXTFxU5qexvFbaPcQeE7/XcOYq+uxsmTpvb5O2TnfGMRzOv9x16RjDPq8RY5MqrurhzNDg=="'
  body: '{"@context":"","id":"","type":"Create","actor":"","object":{"id":"","type":"Note","published":"Thu, 21 Dec 2023 04:40:16 GMT","attributedTo":"","inReplyTo":"","content":"Hello there!","to":""}}'

Here’s the body, ie: the create note activity:

  '@context': '',
  id: '',
  type: 'Create',
  actor: '',
  object: {
    id: '',
    type: 'Note',
    published: 'Thu, 21 Dec 2023 04:40:16 GMT',
    attributedTo: '',
    inReplyTo: '',
    content: 'Hello there!',
    to: ''

Here’s the signature before it gets signed and base64-ized.

(request-target): post /users/marksibly/inbox
date: Thu, 21 Dec 2023 04:40:16 GMT

I’m using crypto.verify to check my crypto.sign works.

Any hints on how to debug this stuff, it’s driving me a bit nuts! Would installing a mastodon server locally help?

A bit more info, here are the headers actually being sent by node.js fetch:

POST /users/marksibly/inbox HTTP/1.1
connection: keep-alive
Content-Type: application/ld+json
Date: Thu, 21 Dec 2023 08:08:24 GMT
Signature: keyId="",headers="(request-target) host date",signature="oZsaxeQrLeP6AJJA40IroR9Hkg8INMDsNBH8npe1XUkaIfeKK4rpqLyajxeNgyRS7FKAqqvVj7by0W/GKElVrrV0gS3YOQc6ksyy5DZqwRXrqD1LPcK7TECmYz4rncYc9E2JoN7n3Afo3oHkhKJqNzqmqcPsdtJrrtQBxSo+O01jUN+HUFeMCUa0t6XigCpANjVAx3/lX7Q+NfZ/0c3fuwkF57uUhj+eU0WjGGuYVDDAWOmua0ORC5sQ3Vij6m6WyUoBsivghV52DxIfFakVaxhcG2kxDEt/N96B8wRfNY0NZSPTkTqef+MQforhgY4FUBLOY+iYdx/wVIDn8Z415Q=="
accept: */*
accept-language: *
sec-fetch-mode: cors
user-agent: node
accept-encoding: br, gzip, deflate

The server I’m trying to post to isn’t even requesting my actor/public key so it must be failing before it even tries to verify the signature?

Note: if you’re using the new ‘native’ fetch in node.js, you can use this to log requests and responses:

import diagnosticsChannel from "diagnostics_channel";'undici:client:sendHeaders').subscribe(({ request, headers, socket }) => {
});'undici:request:headers').subscribe(({ request, response }) => {		
	console.log(response.statusCode, response.statusText);

More info here:

I can’t contact your server at all:

$ nc 443 [] 443 (https) : No route to host


The server isn’t currently up 24/7, it’s basically just an ‘old PC on the kitchen bench’ style setup…

I didn’t think it’d be necessary as the remote server never even seems to be attempting to connect back, but I guess it could well be something to do with my server config or routing or whatever that I know absolutely nothing about so I’ll leave it running while sorting this out.

The server can really only handle webfinger and actor requests, eg:


(with or without .json extension, not sure if it’s required)

However, this is enough to be able to ‘find myself’ on mastodon which is cool!


Fixed: 202 Accepted!

You also need to add a ‘digest’ header for POSTs, as docced here:

So the example is buggy I think. Once I learn how to edit Wiki Posts, I’ll add a note to the ActivityPub.Rocks page.

the example is from a blog post in 2018 and was never updated. add digest to deliver.rb by jakekara · Pull Request #1 · mastodon/blog · GitHub is a PR that would update it.

the additional requirements were added to mastodon v3.3 in 2020 Add support for latest HTTP Signatures spec draft by ClearlyClaire · Pull Request #14556 · mastodon/mastodon · GitHub

1 Like