As part of security checking for incoming events, we check that the keyId sent in the HTTP signature is actually owned by the actor that the activity came from. This is to guard against activity spoofing from separate users at the same server (e.g. user B@server pretends to send a Create(Note) from user A@server).
Our check is pretty simple, the keyId matched against the public key id as retrieved from the actor.
Except it fails for PeerTube because:
- PeerTube’s actors all have the
#main-keysuffix on their public key IDs (e.g.https://tilvids.com/accounts/thelinuxexperiment#main-key) - The HTTP Signature’s
keyIddoes not include the#main-keysuffix (e.g.https://tilvids.com/accounts/thelinuxexperiment)
So the key ownership cross-check fails.
I could adjust the logic to strip out the URL’s hash, but I was wondering if that was actually secure. I assume this is what is already done since PeerTube successfully federates with other softwares.
@julian I think URL comparison should not be done as a string. Like @silverpill said, fragments are stripped before comparison, alongside the usual other considerations (normalized query parameters, UTF and case normalization for the hostname, etc)