SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[chore] Roll back use of (created) pseudo-header pending #2991 (#2992)

Browse Source
This commit is contained in:
tobi
2024-06-10 20:42:26 +02:00
committed by GitHub
parent 69aba377bc
commit ebdcb00d0a
2 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/federation/federating_with_gotosocial.md
View File

@@ -42,10 +42,12 @@ ED25519
GoToSocial request signing is implemented in [internal/transport](https://github.com/superseriousbusiness/gotosocial/blob/main/internal/transport/signing.go).
When assembling signatures:
Once https://github.com/superseriousbusiness/gotosocial/issues/2991 is resolved, GoToSocial will use the `(created)` pseudo-header instead of `date`.
- outgoing `GET` requests use `(request-target) (created) host`
- outgoing `POST` requests use `(request-target) (created) host digest`
For now however, when assembling signatures:
- outgoing `GET` requests use `(request-target) host date`
- outgoing `POST` requests use `(request-target) host date digest`
GoToSocial sets the "algorithm" field in signatures to the value `hs2019`, which essentially means "derive the algorithm from metadata associated with the keyId". The *actual* algorithm used for generating signatures is `RSA_SHA256`, which is in line with other ActivityPub implementations. When validating a GoToSocial HTTP signature, remote servers can safely assume that the signature is generated using `sha256`.