Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements to signature verification #9667

Merged
merged 4 commits into from
Jan 7, 2019
Merged

Improvements to signature verification #9667

merged 4 commits into from
Jan 7, 2019

Conversation

ClearlyClaire
Copy link
Contributor

  • Fix stored invalid keys preventing from updating account data
  • Always re-fetch keys if signature verification fails, albeit avoiding webfinger roundtrip and additional HTTP queries
  • Extend stoplight to account/key refresh too

This part of the code is a bit hairy, this should be thoroughly reviewed, and tests should probably be added.

@ClearlyClaire ClearlyClaire force-pushed the fixes/refresh-key branch 6 times, most recently from 93e0949 to 48d1b7d Compare December 30, 2018 20:05
@ClearlyClaire ClearlyClaire mentioned this pull request Dec 30, 2018
Closed
@Gargron Gargron merged commit 28b4828 into mastodon:master Jan 7, 2019
@ClearlyClaire ClearlyClaire deleted the fixes/refresh-key branch March 14, 2019 15:44
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
@ClearlyClaire @hiyuki2578
Improvements to signature verification (mastodon#9667)
f99753b 
* Refactor signature verification a bit

* Rescue signature verification if recorded public key is invalid

Fixes mastodon#8822

* Always re-fetch AP signing key when HTTP Signature verification fails

But when the account is not marked as stale, avoid fetching collections and
media, and avoid webfinger round-trip.

* Apply stoplight to key/account update as well as initial key retrieval
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gargron Gargron Gargron approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ClearlyClaire @Gargron