hs2019 is not supported as a http signature algorithm, breaking Federation

[gabek]

PeerTube is using https://github.com/joyent/node-http-signature who is currently not adhering to the current http signature best practices by not supporting the hs2019 algorithm. There is a PR resolving this with the library who adds some context:

This allows the recommended use of "hs2019" as algorithm, that effectively hides the used algorithm from the signature to avoid attacks, see Appendix E.2 in https://tools.ietf.org/html/draft-cavage-http-signatures-12

TritonDataCenter/node-http-signature#105

But there are other PRs linked in the original issue: TritonDataCenter/node-http-signature#106.

While I know this isn't directly a PeerTube issue, it is breaking federation with other services, so I'm hoping PeerTube can chime in on the above to hopefully push through some resolution so PeerTube can be fully compatible with http signatures. If that library is not going to update then maybe PeerTube may have to move to another library in order to get up to date.

[gabek]

Hi there. I noticed there's been no activity from PeerTube on the above links. Is there any plan to resolve this incompatibility outside of relying on the outdated and inactive dependency to fix it?

[rigelk]

Ultimately it really depends on the urgency. The above linked PRs are not yet merged, but might deserve some more waiting, don't you think?

Could you expand on the "breaking federation with other services" to better evaluate the above?

[gabek]

It was first reported to your dependency library two years ago, and no movement has taken place since then. It's likely without some prodding from large projects who depend on that library (PeerTube) it will continue to be stalled.

You could continue to wait, but two years is a long time, and in the mean time it's blocking support for additional federation. I know people would like to see Owncast federate with PeerTube, for example.

As for the actual issue, PeerTube is rejecting inbound federated activities that are signed with hs2019. I'll get the actual log message shortly.

[rigelk]

I guess https://npm.io/package/@jolocom/http-signature could fit the bill in the meantime.

[Chocobozzz]

I'll create a dedicated http signature npm package for peertube then :/

[gabek]

Thank you!

[Chocobozzz]

You can test hs2019 on https://peertube2.cpy.re/about/instance. If you have issues please contact me by email (in my github profile).

[vpzomtrrfrt]

If I'm reading this correctly, this implementation assumes hs2019 signatures are sha512 signatures, while most of the fediverse currently uses sha256. In theory, the algorithm should be derived from metadata about the key, but how exactly to do that is still undefined (see https://socialhub.activitypub.rocks/t/state-of-http-signatures/754)