Liked by

@hongminhee@hollo.social · Reply to Evan Prodromou

@evan Yes, that's exactly how it works. When Fedify verifies a draft-cavage signature on an incoming request, it:

Extracts the keyId from the Signature header.
Fetches the document at that keyId URL, expecting a key object (or an actor with a matching public key embedded).
Reads the owner property of the key, which points to the actor's ActivityPub object URL.
Fetches that actor object to confirm the key is actually associated with the claimed sender.

So if tags.pub is having a signature-related bug with Fedify, worth checking: does the keyId URL actually resolve to a key object with a correct owner pointing back to the actor? And does the actor object at that owner URL include the public key? If either fetch fails or returns unexpected data, Fedify will reject the signature.

2 likes

Evan Prodromou
@evan@cosocial.ca
He/him. Board member at CoSocial.ca.
Research Director, Social Web Foundation.
Author of "ActivityPub: Programming for the Social Web" from O'Reilly Media.
Founder of Wikitravel, StatusNet, identi.ca, Fuzzy.ai.
Creator of pump.io. Co-creator of GNU social.
Former co-chair of the Social Web Working Group at W3C. Co-author of Activity Streams 2.0. Co-author of ActivityPub. Co-author of OStatus.
Grad student in CS at Georgia Tech.
Greek, Arab, Palestinian, American, Canadian, Montréalais.
julian
@julian@activitypub.space
Co-Founder (NodeBB) | Husband 🤷‍♂️ and Dad 🙉 to three | Rock Climber 🧗‍♂️ | Foodie 🥙 | Conductor 🎵 | Saxophonist 🎷

✅ Small teams craft better code.
🇨🇦 Made in Canada
🗨️ Federating NodeBB with funding from NLNet ♥️🇪🇺