Do not generate Linked Data signatures when authorized fetch is enabled
What feature would you like implemented?
Proper enforcement of authorize fetch (checkActivityPubGetSignature) requires that outgoing activities be signed by HTTP signature only (no Linked Data signature). This prevents the activity from being "forwarded" to other instances, and ensures that all remote instances must make an inbound GET request that can be verified.
This is not currently implemented in Sharkey. GET requests are verified, but LD signatures are still produced for all messages. This allows messages to be boosted (Announced) onto blocked instances without verification.
Why should we add this feature?
Without this feature, authorized fetch is of limited benefit. Other fediverse software (Mastodon & Pleroma especially) will include the full, signed activity in all Announce activities, which can greatly expand the reach of each activity.
Version
2024.5.1
Instance
N/A
Contribution Guidelines By submitting this issue, you agree to follow our Contribution Guidelines
- I agree to follow this project's Contribution Guidelines
- I have searched the issue tracker for similar requests, and this is not a duplicate.