@fedify/fedify 2.3.0-dev.1110 → 2.3.0-dev.1119

package/dist/{http-BDZeS5om.d.ts → http-D6LP89UO.d.ts}

@@ -1,6 +1,6 @@
 /// <reference lib="esnext.temporal" />
 import { CryptographicKey, Multikey } from "@fedify/vocab";
-import { TracerProvider } from "@opentelemetry/api";
+import { MeterProvider, TracerProvider } from "@opentelemetry/api";
 import { DocumentLoader } from "@fedify/vocab-runtime";
 
 //#region src/sig/key.d.ts
@@ -464,6 +464,12 @@ interface VerifyRequestOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * The reason why {@link verifyRequestDetailed} could not verify a request.

package/dist/{http-C87EWkO0.d.cts → http-D6aw3j2U.d.cts}

@@ -1,7 +1,7 @@
 /// <reference lib="esnext.temporal" />
 import { CryptographicKey, Multikey } from "@fedify/vocab";
 import { DocumentLoader } from "@fedify/vocab-runtime";
-import { TracerProvider } from "@opentelemetry/api";
+import { MeterProvider, TracerProvider } from "@opentelemetry/api";
 
 //#region src/sig/key.d.ts
 /**
@@ -464,6 +464,12 @@ interface VerifyRequestOptions {
   * @since 1.3.0
   */
   tracerProvider?: TracerProvider;
+  /**
+  * The OpenTelemetry meter provider.  If omitted, the global meter provider
+  * is used.
+  * @since 2.3.0
+  */
+  meterProvider?: MeterProvider;
 }
 /**
 * The reason why {@link verifyRequestDetailed} could not verify a request.

package/dist/{http-BLopFpvC.mjs → http-DUV8ysti.mjs}

@@ -1,9 +1,10 @@
 import { Temporal } from "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-hqC7tKJn.mjs";
-import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature } from "./accept-CceiKpCy.mjs";
-import { o as validateCryptoKey, r as fetchKeyDetailed } from "./key-DW1EVmtP.mjs";
+import { n as version, t as name } from "./deno-DVsHS7rA.mjs";
+import { a as measureSignatureKeyFetch, n as getFederationMetrics, t as getDurationMs } from "./metrics-C4attqv0.mjs";
+import { i as validateAcceptSignature, n as fulfillAcceptSignature, r as parseAcceptSignature } from "./accept-CgDcxvjV.mjs";
+import { o as validateCryptoKey, r as fetchKeyDetailed } from "./key-BoWaYRHm.mjs";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
@@ -317,6 +318,27 @@ function parseKeyId(value) {
 function getKeyFetchErrorName(error) {
 	return error.name || error.constructor.name || "Error";
 }
+/**
+* Known draft-cavage `algorithm` parameter values, used to keep the
+* `http_signatures.algorithm` metric attribute on a bounded set.  The header
+* field is attacker-controlled and not used to select the verification
+* algorithm, so unknown values are dropped from the metric to prevent
+* cardinality blow-up.
+*/
+const DRAFT_KNOWN_ALGORITHMS = new Set([
+	"ecdsa-sha256",
+	"ecdsa-sha384",
+	"ecdsa-sha512",
+	"ed25519",
+	"hs2019",
+	"rsa-sha1",
+	"rsa-sha256",
+	"rsa-sha512"
+]);
+function classifyHttpVerifyResult(result) {
+	if (result.verified) return "verified";
+	return result.reason.type === "noSignature" ? "missing" : "rejected";
+}
 function recordVerificationResult(span, result) {
 	span.setAttribute("http_signatures.verified", result.verified);
 	if (result.verified === true) return;
@@ -360,27 +382,37 @@ async function verifyRequestDetailed(request, options = {}) {
 			span.setAttribute(ATTR_URL_FULL, request.url);
 			for (const [name, value] of request.headers) span.setAttribute(ATTR_HTTP_REQUEST_HEADER(name), value);
 		}
+		const start = performance.now();
+		const metricsContext = {};
+		let result;
+		let threw = false;
 		try {
 			let spec = options.spec;
 			if (spec == null) spec = request.headers.has("Signature-Input") ? "rfc9421" : "draft-cavage-http-signatures-12";
-			let result;
-			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, options);
-			else result = await verifyRequestDraft(request, span, options);
+			if (spec === "rfc9421") result = await verifyRequestRfc9421(request, span, metricsContext, options);
+			else result = await verifyRequestDraft(request, span, metricsContext, options);
 			recordVerificationResult(span, result);
 			if (!result.verified) span.setStatus({ code: SpanStatusCode.ERROR });
 			return result;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : classifyHttpVerifyResult(result);
+			const failureReason = result != null && !result.verified && result.reason.type !== "noSignature" ? result.reason.type : void 0;
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "http", classified, {
+				algorithm: metricsContext.algorithm,
+				failureReason
+			});
 			span.end();
 		}
 	});
 }
-async function verifyRequestDraft(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestDraft(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = getLogger([
 		"fedify",
 		"sig",
@@ -528,13 +560,17 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 	const keyIdUrl = parseKeyId(keyId);
 	if (keyIdUrl == null) return invalidSignatureResult(null);
 	span?.setAttribute("http_signatures.key_id", keyId);
-	if ("algorithm" in sigValues) span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
-	const { key, cached, fetchError } = await fetchKeyDetailed(keyIdUrl, CryptographicKey, {
+	if ("algorithm" in sigValues) {
+		span?.setAttribute("http_signatures.algorithm", sigValues.algorithm);
+		const normalizedAlgorithm = sigValues.algorithm.toLowerCase();
+		if (DRAFT_KNOWN_ALGORITHMS.has(normalizedAlgorithm)) metricsContext.algorithm = normalizedAlgorithm;
+	}
+	const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyIdUrl, CryptographicKey, {
 		documentLoader,
 		contextLoader,
 		keyCache,
 		tracerProvider
-	});
+	}));
 	if (fetchError != null) return keyFetchErrorResult(keyIdUrl, fetchError);
 	if (key == null) return invalidSignatureResult(keyIdUrl);
 	const headerNames = headers.split(/\s+/g);
@@ -556,7 +592,7 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				signature,
 				message
 			});
-			return await verifyRequestDetailed(originalRequest, {
+			return await verifyRequestDraft(originalRequest, span, metricsContext, {
 				documentLoader,
 				contextLoader,
 				timeWindow,
@@ -564,7 +600,9 @@ async function verifyRequestDraft(request, span, { documentLoader, contextLoader
 				keyCache: {
 					get: () => Promise.resolve(void 0),
 					set: async (keyId, key) => await keyCache?.set(keyId, key)
-				}
+				},
+				meterProvider,
+				tracerProvider
 			});
 		}
 		logger.debug("Failed to verify with the fetched key {keyId}; signature {signature} is invalid.  Check if the key is correct or if the signed message is correct.  The message to sign is:\n{message}", {
@@ -640,7 +678,7 @@ async function verifyRfc9421ContentDigest(digestHeader, body) {
 	}
 	return false;
 }
-async function verifyRequestRfc9421(request, span, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, tracerProvider } = {}) {
+async function verifyRequestRfc9421(request, span, metricsContext, { documentLoader, contextLoader, timeWindow, currentTime, keyCache, meterProvider, tracerProvider } = {}) {
 	const logger = getLogger([
 		"fedify",
 		"sig",
@@ -674,9 +712,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		return invalidSignatureResult(null);
 	}
 	let failure = noSignatureResult();
+	let failureAlgorithm;
+	const setFailure = (result, algorithm) => {
+		failure = result;
+		failureAlgorithm = algorithm;
+	};
 	for (const sigName of signatureNames) {
 		if (!signatures[sigName]) {
-			failure = invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId));
+			setFailure(invalidSignatureResult(parseKeyId(signatureInputs[sigName]?.keyId)));
 			continue;
 		}
 		const sigInput = signatureInputs[sigName];
@@ -687,7 +730,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
 		if (!sigInput.created) {
@@ -695,7 +738,7 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				signatureName: sigName,
 				signatureInput: signatureInputHeader
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		const signatureCreated = Temporal.Instant.fromEpochMilliseconds(sigInput.created * 1e3);
@@ -707,14 +750,14 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			} else if (Temporal.Instant.compare(signatureCreated, now.subtract(tw)) < 0) {
 				logger.debug("Failed to verify; signature created time is too far in the past.", {
 					created: signatureCreated.toString(),
 					now: now.toString()
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
@@ -722,34 +765,34 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 			const contentDigestHeader = request.headers.get("Content-Digest");
 			if (!contentDigestHeader) {
 				logger.debug("Failed to verify; Content-Digest header required but not found.", { components: sigInput.components });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 			if (!await verifyRfc9421ContentDigest(contentDigestHeader, await request.arrayBuffer())) {
 				logger.debug("Failed to verify; Content-Digest verification failed.", { contentDigest: contentDigestHeader });
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId));
 				continue;
 			}
 		}
 		span?.setAttribute("http_signatures.key_id", sigInput.keyId);
 		span?.setAttribute("http_signatures.created", sigInput.created.toString());
 		if (keyId == null) {
-			failure = invalidSignatureResult(null);
+			setFailure(invalidSignatureResult(null));
 			continue;
 		}
-		const { key, cached, fetchError } = await fetchKeyDetailed(keyId, CryptographicKey, {
+		const { key, cached, fetchError } = await measureSignatureKeyFetch(meterProvider, "http", () => fetchKeyDetailed(keyId, CryptographicKey, {
 			documentLoader,
 			contextLoader,
 			keyCache,
 			tracerProvider
-		});
+		}));
 		if (fetchError != null) {
-			failure = keyFetchErrorResult(keyId, fetchError);
+			setFailure(keyFetchErrorResult(keyId, fetchError));
 			continue;
 		}
 		if (!key) {
 			logger.debug("Failed to fetch key: {keyId}", { keyId: sigInput.keyId });
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let alg = sigInput.alg?.toLowerCase();
@@ -761,12 +804,13 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 		}
 		if (alg) span?.setAttribute("http_signatures.algorithm", alg);
 		const algorithm = alg && rfc9421AlgorithmMap[alg];
+		const candidateAlgorithm = algorithm ? alg : void 0;
 		if (!algorithm) {
 			logger.debug("Failed to verify; unsupported algorithm: {algorithm}", {
 				algorithm: sigInput.alg,
 				supported: Object.keys(rfc9421AlgorithmMap)
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId));
 			continue;
 		}
 		let signatureBase;
@@ -777,20 +821,22 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				error,
 				signatureInput: sigInput
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			continue;
 		}
 		const signatureBaseBytes = new TextEncoder().encode(signatureBase);
 		span?.setAttribute("http_signatures.signature", encodeHex(sigBytes));
 		try {
-			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) return {
-				verified: true,
-				key,
-				signatureLabel: sigName
-			};
-			else if (cached) {
+			if (await crypto.subtle.verify(algorithm, key.publicKey, sigBytes.slice(), signatureBaseBytes)) {
+				metricsContext.algorithm = candidateAlgorithm;
+				return {
+					verified: true,
+					key,
+					signatureLabel: sigName
+				};
+			} else if (cached) {
 				logger.debug("Failed to verify with cached key {keyId}; retrying with fresh key...", { keyId: sigInput.keyId });
-				return await verifyRequestDetailed(originalRequest, {
+				return await verifyRequestRfc9421(originalRequest, span, metricsContext, {
 					documentLoader,
 					contextLoader,
 					timeWindow,
@@ -799,14 +845,16 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 						get: () => Promise.resolve(void 0),
 						set: async (keyId, key) => await keyCache?.set(keyId, key)
 					},
-					spec: "rfc9421"
+					spec: "rfc9421",
+					meterProvider,
+					tracerProvider
 				});
 			} else {
 				logger.debug("Failed to verify signature with fetched key {keyId}; signature invalid.", {
 					keyId: sigInput.keyId,
 					signatureBase
 				});
-				failure = invalidSignatureResult(keyId);
+				setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 			}
 		} catch (error) {
 			logger.debug("Error during signature verification: {error}", {
@@ -814,9 +862,10 @@ async function verifyRequestRfc9421(request, span, { documentLoader, contextLoad
 				keyId: sigInput.keyId,
 				algorithm: sigInput.alg
 			});
-			failure = invalidSignatureResult(keyId);
+			setFailure(invalidSignatureResult(keyId), candidateAlgorithm);
 		}
 	}
+	metricsContext.algorithm = failureAlgorithm;
 	return failure;
 }
 /**

package/dist/{key-DW1EVmtP.mjs → key-BoWaYRHm.mjs}

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-hqC7tKJn.mjs";
+import { n as version, t as name } from "./deno-DVsHS7rA.mjs";
 import { getLogger } from "@logtape/logtape";
 import { CryptographicKey, Object as Object$1, isActor } from "@fedify/vocab";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";

package/dist/{kv-cache-C3NWWiTg.js → kv-cache-DBNpsneh.js}

@@ -1,6 +1,6 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { URLPattern } from "urlpattern-polyfill";
-import { d as validateCryptoKey, t as doubleKnock } from "./http-O8MYWwk8.js";
+import { d as validateCryptoKey, t as doubleKnock } from "./http-CouJSFVK.js";
 import { getLogger } from "@logtape/logtape";
 import { curry } from "es-toolkit";
 import { UrlError, createActivityPubRequest, getRemoteDocument, logRequest, preloadedContexts, validatePublicUrl } from "@fedify/vocab-runtime";

package/dist/{kv-cache-Dya-TWMe.cjs → kv-cache-Dz31ATUT.cjs}

@@ -1,7 +1,7 @@
 const { Temporal } = require("@js-temporal/polyfill");
 const { URLPattern } = require("urlpattern-polyfill");
 require("./chunk-DDcVe30Y.cjs");
-const require_http = require("./http-DV0il3vk.cjs");
+const require_http = require("./http-CubOB9wq.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let es_toolkit = require("es-toolkit");
 let _fedify_vocab_runtime = require("@fedify/vocab-runtime");

package/dist/{ld-BNkk2Yal.mjs → ld-B5K1mSuG.mjs}

@@ -1,8 +1,9 @@
 import "@js-temporal/polyfill";
 import "urlpattern-polyfill";
 globalThis.addEventListener = () => {};
-import { n as version, t as name } from "./deno-hqC7tKJn.mjs";
-import { n as fetchKey, o as validateCryptoKey } from "./key-DW1EVmtP.mjs";
+import { n as version, t as name } from "./deno-DVsHS7rA.mjs";
+import { a as measureSignatureKeyFetch, n as getFederationMetrics, t as getDurationMs } from "./metrics-C4attqv0.mjs";
+import { n as fetchKey, o as validateCryptoKey } from "./key-BoWaYRHm.mjs";
 import { getLogger } from "@logtape/logtape";
 import { Activity, CryptographicKey, Object as Object$1, getTypeId } from "@fedify/vocab";
 import { SpanStatusCode, trace } from "@opentelemetry/api";
@@ -146,6 +147,17 @@ function detachSignature(jsonLd) {
 }
 /**
 * Verifies Linked Data Signatures of the given JSON-LD document.
+*
+* This is a low-level utility that only checks the cryptographic signature
+* and (optionally) the cached key.  It does not run the JSON-LD parsing,
+* attribution, and owner checks that a complete inbound LD verification
+* needs.  For incoming activities, prefer {@link verifyJsonLd}, which is
+* the public verification entry point and the one that emits the
+* `activitypub.signature.verification.duration` metric for the LD path.
+* `verifySignature` itself only emits
+* `activitypub.signature.key_fetch.duration`, since the rest of the work
+* that the verification-duration metric is meant to cover happens in
+* `verifyJsonLd`.
 * @param jsonLd The JSON-LD document to verify.
 * @param options Options for verifying the signature.
 * @returns The public key that signed the document or `null` if the signature
@@ -165,7 +177,7 @@ async function verifySignature(jsonLd, options = {}) {
 		});
 		return null;
 	}
-	const { key, cached } = await fetchKey(new URL(sig.creator), CryptographicKey, options);
+	const { key, cached } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, options));
 	if (key == null) return null;
 	const sigOpts = {
 		...sig,
@@ -205,13 +217,13 @@ async function verifySignature(jsonLd, options = {}) {
 			keyId: sig.creator,
 			...sig
 		});
-		const { key } = await fetchKey(new URL(sig.creator), CryptographicKey, {
+		const { key } = await measureSignatureKeyFetch(options.meterProvider, "linked_data", () => fetchKey(new URL(sig.creator), CryptographicKey, {
 			...options,
 			keyCache: {
 				get: () => Promise.resolve(void 0),
 				set: async (keyId, key) => await options.keyCache?.set(keyId, key)
 			}
-		});
+		}));
 		if (key == null) return null;
 		return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key.publicKey, signature.slice(), messageBytes) ? key : null;
 	}
@@ -223,6 +235,33 @@ async function verifySignature(jsonLd, options = {}) {
 	return null;
 }
 /**
+* Known Linked Data Signature `type` values, used to keep
+* `ld_signatures.type` on a bounded set of spec-defined string values.
+* Fedify only signs and verifies `RsaSignature2017`; other values come in
+* only from external documents and are dropped from the metric attribute to
+* avoid attacker-controlled cardinality.
+*/
+const LD_KNOWN_SIGNATURE_TYPES = new Set(["RsaSignature2017"]);
+/**
+* Reports only whether a `signature` key is present on the document, with
+* no shape check on its value.  This is intentionally looser than
+* {@link hasSignature} (which validates a full `RsaSignature2017` shape)
+* and {@link hasSignatureLike} (which structurally accepts several known
+* suites): `verifyJsonLd` needs to tell a document with a malformed or
+* unsupported signature payload (classified as `rejected`) apart from a
+* truly unsigned document (classified as `missing`), and only this
+* presence-only check captures both cases.
+*/
+function hasLdSignatureProperty(jsonLd) {
+	return typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd;
+}
+function getLdSignatureObject(jsonLd) {
+	if (!hasLdSignatureProperty(jsonLd)) return void 0;
+	const { signature } = jsonLd;
+	if (typeof signature !== "object" || signature == null || Array.isArray(signature)) return;
+	return signature;
+}
+/**
 * Verify the authenticity of the given JSON-LD document using Linked Data
 * Signatures.  If the document is signed, this function verifies the signature
 * and checks if the document is attributed to the owner of the public key.
@@ -233,14 +272,22 @@ async function verifySignature(jsonLd, options = {}) {
 */
 async function verifyJsonLd(jsonLd, options = {}) {
 	return await (options.tracerProvider ?? trace.getTracerProvider()).getTracer(name, version).startActiveSpan("ld_signatures.verify", async (span) => {
+		const start = performance.now();
+		let verified = false;
+		let threw = false;
+		let signatureType;
 		try {
 			const object = await Object$1.fromJsonLd(jsonLd, options);
 			if (object.id != null) span.setAttribute("activitypub.object.id", object.id.href);
 			span.setAttribute("activitypub.object.type", getTypeId(object).href);
-			if (typeof jsonLd === "object" && jsonLd != null && "signature" in jsonLd && typeof jsonLd.signature === "object" && jsonLd.signature != null) {
-				if ("creator" in jsonLd.signature && typeof jsonLd.signature.creator === "string") span.setAttribute("ld_signatures.key_id", jsonLd.signature.creator);
-				if ("signatureValue" in jsonLd.signature && typeof jsonLd.signature.signatureValue === "string") span.setAttribute("ld_signatures.signature", jsonLd.signature.signatureValue);
-				if ("type" in jsonLd.signature && typeof jsonLd.signature.type === "string") span.setAttribute("ld_signatures.type", jsonLd.signature.type);
+			const sig = getLdSignatureObject(jsonLd);
+			if (sig != null) {
+				if (typeof sig.creator === "string") span.setAttribute("ld_signatures.key_id", sig.creator);
+				if (typeof sig.signatureValue === "string") span.setAttribute("ld_signatures.signature", sig.signatureValue);
+				if (typeof sig.type === "string") {
+					span.setAttribute("ld_signatures.type", sig.type);
+					if (LD_KNOWN_SIGNATURE_TYPES.has(sig.type)) signatureType = sig.type;
+				}
 			}
 			const attributions = new Set(object.attributionIds.map((uri) => uri.href));
 			if (object instanceof Activity) for (const uri of object.actorIds) attributions.add(uri.href);
@@ -255,14 +302,18 @@ async function verifyJsonLd(jsonLd, options = {}) {
 				logger.debug("Some attributions are not authenticated by the Linked Data Signatures: {attributions}.", { attributions: [...attributions] });
 				return false;
 			}
+			verified = true;
 			return true;
 		} catch (error) {
+			threw = true;
 			span.setStatus({
 				code: SpanStatusCode.ERROR,
 				message: String(error)
 			});
 			throw error;
 		} finally {
+			const classified = threw ? "error" : verified ? "verified" : hasLdSignatureProperty(jsonLd) ? "rejected" : "missing";
+			getFederationMetrics(options.meterProvider).recordSignatureVerificationDuration(getDurationMs(start), "linked_data", classified, { ldType: signatureType });
 			span.end();
 		}
 	});