Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add a description of "RsaSignature2017" #9361
As far as I can see, Mastodon does not document the "RsaSignature2017" signature method, which is needed in order to verify ActivityPub messages received from Mastodon instances.
Please could you document it? Or is there some other way of verifying incoming messages?
My efforts to figure it out from the Ruby source have foundered on its apparent reliance on specific quirks of Ruby's RDF Turtle serializer. Here are my notes, anyway: https://gist.github.com/marnanel/ba6cba944d1f12d705891b1f7a7808d6
mastodon uses json-ld signatures which are documented here: https://w3c-dvcg.github.io/ld-signatures/ but you don't need to use them for most purposes. c14n comes from the RDF Dataset Normalization spec: https://json-ld.github.io/normalization/spec/, which is referenced from the ld-signature spec.
However, for nearly all purposes, you're fine verifying the HTTP Signature header only. HTTP Signatures authenticate the transmission of messages between servers, while the ld-signature values are used only for messages that are forwarded by a third party (a completely optional enhancement).
You can read the HTTP Signature spec here: https://w3c-dvcg.github.io/http-signatures/
all of this is documented on this wiki page: https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization and in Mastodon's implementation report