npm - @rmdes/indiekit-endpoint-activitypub - Versions diffs - 3.8.2 → 3.8.3 - Mend

@rmdes/indiekit-endpoint-activitypub 3.8.2 → 3.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/federation-setup.js +16 -2
package/package.json +1 -1

package/lib/federation-setup.js CHANGED Viewed

@@ -154,7 +154,16 @@ export function setupFederation(options) {
           };
           if (keyPairs.length > 0) {
             appOptions.publicKey = keyPairs[0].cryptographicKey;
-            appOptions.assertionMethods = keyPairs.map((k) => k.multikey);
+            // Only include Ed25519 keys in assertionMethod (Object Integrity Proofs).
+            // RSA keys belong only in publicKey (HTTP Signatures). Putting the RSA
+            // Multikey in assertionMethod with the same #main-key id as the
+            // CryptographicKey in publicKey causes id collisions — servers that
+            // traverse JSON-LD properties alphabetically (assertionMethod before
+            // publicKey) find the Multikey first, which has no publicKeyPem,
+            // and fail signature verification.
+            appOptions.assertionMethods = keyPairs
+              .filter((k) => k.privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5")
+              .map((k) => k.multikey);
           }
           return new Application(appOptions);
         }
@@ -753,7 +762,12 @@ export async function buildPersonActor(
   if (keyPairs.length > 0) {
     personOptions.publicKey = keyPairs[0].cryptographicKey;
-    personOptions.assertionMethods = keyPairs.map((k) => k.multikey);
+    // Only include Ed25519 keys in assertionMethod (Object Integrity Proofs).
+    // RSA keys belong only in publicKey (HTTP Signatures). See instance actor
+    // above for the full explanation of why this filter is necessary.
+    personOptions.assertionMethods = keyPairs
+      .filter((k) => k.privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5")
+      .map((k) => k.multikey);
   }
   // Build profile field attachments (PropertyValue).

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-activitypub",
-  "version": "3.8.2",
+  "version": "3.8.3",
   "description": "ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.",
   "keywords": [
     "indiekit",