A remote fediverse actor with URL fragment identifier can be searched and even asked to follow but BookWyrm reject 'Accept' and other incoming activities with http/401, note the remote proven to communicate with Mastodon and Pixelfed based instances (for example).
An example actor could be tried is http://fediverse.demo.openlinksw.com/dataspace/person/demo#this identifier @demo@fediverse.demo.openlinksw.com
The problem boils down to following code in signature verification:
bookwyrm/views/inbox.py
134 key_actor = urldefrag(signature.key_id).url
135 if key_actor != activity.get("actor"): # <<< [1]
136 raise ValueError("Wrong actor created signature.")
137
138 remote_user = activitypub.resolve_remote_id(key_actor, model=models.User) # <<< [2]
139 if not remote_user:
140 return False
The keyId is not mandatory to be a same path as actor, it is common to be in same document, but actor is not a document URL.
Person/Organization etc. objects are not documents, therefore these can have fragment identifiers.
Expected flow:
Resolve the document based on keyId, look at publicKey/owner relation and compare with actor, if so use publicKeyPem to construct crypto key for verification, perhaps can cache the keyId publicKey/id from user profile and look for it.
Version is main branch on Github but fails with old versions as well.
A remote fediverse actor with URL fragment identifier can be searched and even asked to follow but BookWyrm reject 'Accept' and other incoming activities with http/401, note the remote proven to communicate with Mastodon and Pixelfed based instances (for example).
An example actor could be tried is
http://fediverse.demo.openlinksw.com/dataspace/person/demo#this
identifier@demo@fediverse.demo.openlinksw.com
The problem boils down to following code in signature verification:
bookwyrm/views/inbox.py
Expected flow: Resolve the document based on
keyId
, look at publicKey/owner relation and compare with actor, if so use publicKeyPem to construct crypto key for verification, perhaps can cache the keyId publicKey/id from user profile and look for it.Version is main branch on Github but fails with old versions as well.