diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2024-06-10 20:42:26 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-06-10 19:42:26 +0100 |
| commit | ebdcb00d0a24fe00ed316c8a43c318b030ab95fc (patch) | |
| tree | d898aacd114216391f0b0cdf082b6d08735721f9 | |
| parent | [chore]: Bump golang.org/x/image from 0.16.0 to 0.17.0 (#2985) (diff) | |
| download | gotosocial-ebdcb00d0a24fe00ed316c8a43c318b030ab95fc.tar.xz | |
[chore] Roll back use of `(created)` pseudo-header pending #2991 (#2992)
| -rw-r--r-- | docs/federation/federating_with_gotosocial.md | 8 | ||||
| -rw-r--r-- | internal/transport/signing.go | 10 |
2 files changed, 11 insertions, 7 deletions
diff --git a/docs/federation/federating_with_gotosocial.md b/docs/federation/federating_with_gotosocial.md index 0fd4580ce..17a61219e 100644 --- a/docs/federation/federating_with_gotosocial.md +++ b/docs/federation/federating_with_gotosocial.md @@ -42,10 +42,12 @@ ED25519 GoToSocial request signing is implemented in [internal/transport](https://github.com/superseriousbusiness/gotosocial/blob/main/internal/transport/signing.go). -When assembling signatures: +Once https://github.com/superseriousbusiness/gotosocial/issues/2991 is resolved, GoToSocial will use the `(created)` pseudo-header instead of `date`. -- outgoing `GET` requests use `(request-target) (created) host` -- outgoing `POST` requests use `(request-target) (created) host digest` +For now however, when assembling signatures: + +- outgoing `GET` requests use `(request-target) host date` +- outgoing `POST` requests use `(request-target) host date digest` GoToSocial sets the "algorithm" field in signatures to the value `hs2019`, which essentially means "derive the algorithm from metadata associated with the keyId". The *actual* algorithm used for generating signatures is `RSA_SHA256`, which is in line with other ActivityPub implementations. When validating a GoToSocial HTTP signature, remote servers can safely assume that the signature is generated using `sha256`. diff --git a/internal/transport/signing.go b/internal/transport/signing.go index fa15eee5e..da3b6dc46 100644 --- a/internal/transport/signing.go +++ b/internal/transport/signing.go @@ -23,10 +23,12 @@ import ( var ( // http signer preferences - prefs = []httpsig.Algorithm{httpsig.RSA_SHA256} - digestAlgo = httpsig.DigestSha256 - getHeaders = []string{httpsig.RequestTarget, "(created)", "host"} - postHeaders = []string{httpsig.RequestTarget, "(created)", "host", "digest"} + prefs = []httpsig.Algorithm{httpsig.RSA_SHA256} + digestAlgo = httpsig.DigestSha256 + + // TODO: Update these to use `(created)` pseudo-header instead of `Date`. + getHeaders = []string{httpsig.RequestTarget, "host", "date"} + postHeaders = []string{httpsig.RequestTarget, "host", "date", "digest"} ) // NewGETSigner returns a new httpsig.Signer instance initialized with GTS GET preferences. |