-
-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to verify signature for remote actor 'Delete' activity #10286
Comments
This is understandably confusing, but it's not a bug or a problem. You receive deletes of accounts your server does not know about. Since the account is deleted, the key cannot even be retrieved. But your server does not store the account, so there is nothing to delete anyway. This is because we propagate deletes to all known inboxes, to ensure the widest possible application of the delete. |
@Gargron Actually, my server does store the accounts for the purpose of caching, but it is always retrieves the RSA public key for the verification of the signature, since there is always the possibility that someone with their own ActivityPub server change their public key at any time and this would cause failure in the verification of I understand that this is not a priority bug, since all Mastodon instances would work as expected, but due the sense of righteousness, I think the behavior should be changed in the future. Sorry for my English. |
Expected behaviour
It is expected that Mastodon's actor Public Key is available to be retrieved for
Signature
header calculation when the Mastodon's server send to another server (server-server interaction) the 'Delete' activity for an actor.Actual behaviour
My own ActivityPub server inbox receive a lot of 'Delete' activities for actors, but when my server try to fetch the actor Public Key from the
keyId
provided URL fromSignature
header, Mastodon server return410 Gone
HTTP status code with empty body without being able to retrieve thepublicKeyPem
, so my server could not be able to calculate thesignature
, thus is not possible to verify the actor.Steps to reproduce the problem
{"type":"Delete"}
from inbox.Signature
header, extractkeyId
value fromSignature
header.publicKey
fromkeyId
, get410 Gone
HTTP status code with empty body.Specifications
Mastodon 2.7.4
Recommendation
Maintain actor
publicKey
available for a specific period of time (e.g.: 5 minutes) before removing it.The text was updated successfully, but these errors were encountered: