Yet Another POST to Mastodon with HTTP Signature

In an attempt to create relay server for ActivityPub I’ve run into issues. Hoping someone can point me in the right direction that has been through this dance before. Currently stuck on getting the http-signature to be valid when posting the ‘Accept’ for the follow from an instance. I’ve managed to get through the need for a digest header:
{"error":"Mastodon requires the Digest header to be signed when doing a POST request"}
And when the header is incorrect:
{"error":"Invalid Digest value. Computed SHA-256 digest: hSInFnh/+nfXvO53Y3B9Lzw/lYTlcDLVmW6ip1bQJCQ=; given: bOyqyOOL8CAIp2xBpSwWgsBOQSCFYVwxZ8pIN2Nseg0="}
And when the webfinger config was wrong:
{"error":"Webfinger error when resolving relay@acctrelay.moth.social: Request for acct:relay@acctrelay.moth.social returned HTTP 404"}
The current error returning from the instance is:
{"error":"Verification failed for relay@acctrelay.moth.social https://acctrelay.moth.social/actor using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)","signed_string":"(request-target): post /inbox\nhost: staging.moth.social\ndate: Wed, 21 Jun 2023 22:38:44 GMT\ndigest: SHA-256=IuHD2Uc886zZlkrLZj02yFu1hSI9ZRC9DSkdb2Hmt8o=","signature":"WxmM3/iz2I//mJmoD9Hhz7iZvkaOP6XLtmF0e30NqFB+wvePMUryNpp9o0Wzv1rv1vaKYCuENStCgZ2YIXfpaVJcJEV5iNvqeA84BCmARYEMJHgWDG9S/xWIHLloVwIMHibpyWNh/aLVaXjzOLNn2svEiFux0UgySOvh7hEU1FhmH7SLajlwrtl5uSTbjKCFSUxq/nux6FUcgQFBTDuRiBnf82hNBkedMWBSlzP/0zDDANi0rOKvKYnQ14dfWjnRfxCCppFD8EqCubdS7epMmBLmE6V9IM4U8zbx3bZ8qLYBij9tKDPwMzarHh/EPdX9Y7qVup6tWKQRvsbPeramQQ=="}

This one I haven’t resolved, and I’m running low on ideas. My best guess is it’s a mismatch with my privatePEM and the publicPEM that the instance is getting from the relay’s /actor endpoint. Maybe? My next question is what other dragons lurk in this setup that I need to be mindful of? Here’s a gist of what simplified service I am trying, ActivityPub HTTP Signature and POST activity · GitHub

I’ve gathered a several resources that have been helpful in getting me this far.

I think it’s because there’s a mismatch between what you’re sending and the Digest.

digest = 'SHA-256=' + Base64.strict_encode64(sha256.digest(@content.to_json))

That looks correct, but you’re POSTing

.post(
      'https://staging.moth.social/inbox', json: @content
 )

Shouldn’t that be json: @content.to_json ?

I’ve written a bit about how to verify HTTP Signatures, which might be of help - https://shkspr.mobi/blog/2024/02/a-simpleish-guide-to-verifying-http-message-signatures-in-php/