Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.So, signature checks are working most of the time, but let's look at my comment from #10
There's a couple which are using the SignatureValue property, and those are unpublished, so let's see if we can make that one work.
Original summary.
We currently don't check the signature on an incoming activity in the Inbox.
This is badly needed of course to make sure you don't get overspammed or spoofed.
(also, double check reply with peertube)
Comments
Comment #3
swentel commentedWe'll probably need follow-ups to this one, but at least the status now depends on it.
Comment #4
swentel commentedComment #5
swentel commentedReopening, it doesn't work, most likely due to https://github.com/tootsuite/mastodon/issues/15016
Opened an issue at https://github.com/landrok/activitypub/issues/18 and will dig in deeper myself next week.
Comment #9
swentel commentedThe most important variation of the signature is now checked.
The other variation is (for DELETE requests for a user) where the value of the signature is in the payload itself.
Comment #10
swentel commentedWith #3247999: phpsec needs some code updates in, most signatures are coming in fine, that's great.
There's a couple which are using the SignatureValue property, and those are unpublished, so let's see if we can make that one work.
Comment #11
swentel commentedComment #12
swentel commentedComment #13
swentel commentedComment #14
swentel commentedI think this is fine at the moment. The SignatureValue is something that we can track in #3319596: Handle incoming delete actor requests
Comment #16
swentel commented