devyn
commented
1 year ago Current thinking: use http-sign crate for signatures. This one is really simple and it supports Hs2019, which is not deprecated and mastodon does support. Only RSA is supported, I'm guessing RSA-PSS would work fine. Probably use RSA-3072. ECDSA would be preferable and technically included in Hs2019 but I'm not sure if Mastodon supports it anyway
Digests have to be provided and digest-headers seems to be the most straightforward crate to do so
Mastodon won't accept activities from an actor unless it can verify their signature. We need to provide a public key for every actor and sign any activities with their actor's key in the HTTP header.