ActivityPub

0 readers

1 users here now

Focused discussion related to ActivityPub integration in NodeBB

founded 6 months ago

Question re: PeerTube's pubkey IDs (community.nodebb.org)

submitted 2 weeks ago by [email protected] to c/[email protected]

7 comments fedilink hide all child comments

As part of security checking for incoming events, we check that the keyId sent in the HTTP signature is actually owned by the actor that the activity came from. This is to guard against activity spoofing from separate users at the same server (e.g. user B@server pretends to send a Create(Note) from user A@server).

Our check is pretty simple, the keyId matched against the public key id as retrieved from the actor.

Except it fails for PeerTube because:

PeerTube's actors all have the #main-key suffix on their public key IDs (e.g. https://tilvids.com/accounts/thelinuxexperiment#main-key)
The HTTP Signature's keyId does not include the #main-key suffix (e.g. https://tilvids.com/accounts/thelinuxexperiment)

So the key ownership cross-check fails.

I could adjust the logic to strip out the URL's hash, but I was wondering if that was actually secure. I assume this is what is already done since PeerTube successfully federates with other softwares.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 0 points 4 days ago (1 children)

@[email protected] not yet, although I should open an issue, thanks for the reminder!

[–] [email protected] 1 points 4 days ago (1 children)

@julian I am affected by it as well, which is strange because previously federation with PeerTube worked fine. Perhaps they broke it in a recent release

[–] [email protected] 1 points 2 days ago

@julian Fixed: https://github.com/Chocobozzz/PeerTube/commit/038c41030858a98071200cdbb2b134aeaac7be9a