TIL: @nodebb uses it's own implementation of the HTTP Message Signatures algorithm, and it's not particularly long.
-
TIL: @nodebb uses it's own implementation of the HTTP Message Signatures algorithm, and it's not particularly long. (I thought it'd be larger)
https://github.com/NodeBB/NodeBB/blob/master/src/activitypub/index.js#L176-L272
-
@thisismissem @nodebb Yeah, if you have access to all the cryptographic primitives you need it's really not too terrible. Signatures were about 25 LOC in Pinhole: https://fietkau.software/Pinhole.git/blob/f6e243deadf741e40b8f0bd5f5de63fa42ad89dd/pinhole.py#l232
There are other valid reasons to try to move away from cavage-12, like library support, but implementation complexity isn't really one of them. Not a ton can go wrong after you get it working once.
(Although I do recall debugging an interop thing with @julian@community.nodebb.org that had to do with silly formatting minutiae.)
-
@julian@fietkau.social @nodebb @julian@community.nodebb.org I'm still thinking we really only need one implementation of HTTP Message Signatures in each language though, tbh.
We currently have like three or four in javascript? (fedify, nodebb, misskey, peertube)
-
@thisismissem @julian@community.nodebb.org Ideally, yeah! At the time I wrote mine, there wasn't a library for it in Python, so things kept getting copy&pasted. I think it was similar for JS at the time.
I don't know how easy it would be to import only the signature functions from Fedify (without using the ActivityPub parts of it), but maybe that's an option now.
-
@julian@fietkau.social @thisismissem@hachyderm.io part of what I want to do with NodeBB is abstract out those basic parts of AP integration into its own separate library, so it's just requiring a module to be able to successfully sign and verify.
