Conversation

see this is why you don't put hashtags in your ActivityPub object IDs!
WARN [ap] Error validating activity from 81.201.202.98: Cannot re-fetch activity https://mk.absturztau.be/users/a2l8lkf5m7tt003q#updates/1765511014068: returned object is not an activity type { userAgent: 'Misskey/2025.4.4 (https://mk.absturztau.be)', signature: 'keyId="https://mk.absturztau.be/users/a2l8lkf5m7tt003q#main-key",algorithm="rsa-sha256",headers="(request-target) date host digest",signature="Wm4D7XzgV0BvdiGpNlGi++J+zRXl9XUwONXC5Scw4CgjHiIfjBUtx++WnvGOPxYhpe0xnF7a+iT0bI+LTltZjjm0F21L9T4o1PT423+z3LZTm2Dekbogfelw4bUgn3dxP/zt5+4DwQi/V8AxYH38G3WoGh09vvAxAqfirq42iEvOtZorc7ouimWBA7+BdADBXJf/TX7XF4YEOzfvX+2qXJyy+fePXOd2pkqpzdwC3B9pY8e9j6MLYy6Di2ackmtjo+GkEAr1IMeagCArYBhSS0yi8iyvBoNku9uSki6unuJE34s9qJLg6qEJwCb8z+Z8MHuScBMLcA953VVX+0aDZw=="' }
It works great for a bit, then you run into edge cases like this:
1. Instance A generates an activity https://a.example.com/some-object#activity
2. A sends that activity to instance B, which is Mastodon or a Relay.
3. B forwards the activity to C, which validates the signature but doesn't trust the activity since it came from B instead of A.
4. C tries to resolve a canonical copy of the activity, but because hashtags aren't allowed in HTTP the actual request goes to https://a.example.com/some-object.
5. Since A doesn't realize that C wants the activity, it (correctly) returns the actual object some-object.
6. C determines that the returned object does not match the activity forwarded by B, and (correctly) rejects it.

The final result: B is unable to forward the activity from A to C, even though it meets all security criteria, because A's activity ID is unresolveable.