Accept HTTP Signature requests for standalone key objects#2935
Merged
Accept HTTP Signature requests for standalone key objects#2935
Conversation
When a remote server uses a top-level ActivityPub object as its signing key (e.g. https://example.com/user/ok/publickey) instead of a fragment identifier (e.g. https://example.com/users/evan#main-key), signature verification failed because the code expected a nested publicKey structure on an actor object. Extract key PEM resolution into a dedicated method that handles both formats: standard actors with nested publicKey.publicKeyPem, and standalone CryptographicKey objects with top-level publicKeyPem and owner. For standalone keys, the owner actor is fetched and verified to prevent spoofing. Fixes #2934
There was a problem hiding this comment.
Pull request overview
Adds support for verifying HTTP Signatures when keyId points to a standalone ActivityPub key object (top-level publicKeyPem), and prevents spoofing by verifying the key relationship via the key’s owner.
Changes:
- Extend remote public key extraction to handle standalone key objects and verify ownership by fetching the owner actor.
- Add PHPUnit coverage for successful verification and rejection when the owner’s referenced key does not match.
- Add changelog entry for the fix.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/phpunit/tests/includes/class-test-signature.php | Adds tests for verifying signatures with standalone key objects and mismatched-owner rejection. |
| includes/collection/class-remote-actors.php | Extracts public key PEM from either actor publicKey.publicKeyPem or standalone key objects and verifies ownership. |
| .github/changelog/2935-from-description | Adds changelog entry describing the fix. |
- Add same-origin check: owner URL must share the same host as the key ID before fetching, preventing cross-origin spoofing attempts. - Wrap test assertions in try/finally to ensure filter cleanup even on test failure.
The existing mismatched-owner test used different hosts, which was caught by the same-host guard. This new test uses same-host key and owner but with a non-matching publicKey.id to exercise the back-reference verification path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2934
Proposed changes:
keyIdpoints to a top-level ActivityPub key object (e.g.CryptographicKeywithpublicKeyPemat the top level) instead of only supporting fragment identifiers on actor objects (e.g.#main-key).owneractor is fetched and verified to confirm it references the same key ID, preventing spoofing.Other information:
Testing instructions:
activitypub.bot) to a WordPress site with the ActivityPub plugin.npm run env-test -- --filter=test_verify_http_signature_with_standalone_key_objectto verify the new test passes.Changelog entry
Changelog Entry Details
Significance
Type
Message
Accept incoming activities from servers that use standalone key objects for HTTP Signatures.