diff --git a/docs/federation/federating_with_gotosocial.md b/docs/federation/federating_with_gotosocial.md index 947a03f9b..0fd4580ce 100644 --- a/docs/federation/federating_with_gotosocial.md +++ b/docs/federation/federating_with_gotosocial.md @@ -44,8 +44,8 @@ GoToSocial request signing is implemented in [internal/transport](https://github When assembling signatures: -- outgoing `GET` requests use `(request-target) host date` -- outgoing `POST` requests use `(request-target) host date digest` +- outgoing `GET` requests use `(request-target) (created) host` +- outgoing `POST` requests use `(request-target) (created) host digest` GoToSocial sets the "algorithm" field in signatures to the value `hs2019`, which essentially means "derive the algorithm from metadata associated with the keyId". The *actual* algorithm used for generating signatures is `RSA_SHA256`, which is in line with other ActivityPub implementations. When validating a GoToSocial HTTP signature, remote servers can safely assume that the signature is generated using `sha256`. diff --git a/internal/transport/signing.go b/internal/transport/signing.go index e33e4a05f..fa15eee5e 100644 --- a/internal/transport/signing.go +++ b/internal/transport/signing.go @@ -25,8 +25,8 @@ var ( // http signer preferences prefs = []httpsig.Algorithm{httpsig.RSA_SHA256} digestAlgo = httpsig.DigestSha256 - getHeaders = []string{httpsig.RequestTarget, "host", "date"} - postHeaders = []string{httpsig.RequestTarget, "host", "date", "digest"} + getHeaders = []string{httpsig.RequestTarget, "(created)", "host"} + postHeaders = []string{httpsig.RequestTarget, "(created)", "host", "digest"} ) // NewGETSigner returns a new httpsig.Signer instance initialized with GTS GET preferences.