>inbound verification
Is it enabled on this instance? I tried to send a POST request signed according to RFC-9421 to your inbox, the response was 401.
Timestamp: 2026-05-06T12:50:30Z
cc @mariusor
Conversation
Notices
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Wednesday, 06-May-2026 21:54:07 JST 
silverpill
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Thursday, 07-May-2026 03:37:23 JST
silverpill
@mariusor @Marius @marius Sent another one to https://marius.federated.id/inbox
2026-05-06T18:33:57Z -
Embed this notice
marius (mariusor@metalhead.club)'s status on Thursday, 07-May-2026 03:37:25 JST 
marius
I'm not sure which instance you mean, these two actors are different.
The first one is on an instance that should have RFC9421 enabled, but the second isn't.
I enabled request debug on it, if you want to try again.
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Thursday, 07-May-2026 03:47:38 JST
silverpill
@mariusor I created it manually. Too lazy to add object :]
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Thursday, 07-May-2026 03:47:39 JST
marius
@silverpill also, what the hell is that Activity? A Like without an object... o.O
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Thursday, 07-May-2026 03:47:41 JST
marius
@silverpill the problem is missing nonces even when not specified in the signature-input.
6:33PM WRN Failed to load actor err="verification failed: parameter error: nonce validation failed: nonce already seen" log=auth
I'll review if the error is on my end, or in the library itself. I just realized this is the same issue I had with signatures coming from tags.pub at some point.
I'll probably message you with an update sometime tomorrow. Thank you for giving it a try. 🫡
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 08-May-2026 20:23:09 JST
silverpill
@mariusor Still returns 401.
The timestamp is 2026-05-08T11:20:47Z
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Friday, 08-May-2026 20:23:11 JST
marius
@silverpill when you get a chance, please send another request. While waiting for the upstream to solve the issue, I fixed on my end trying to validate missing nonces.
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Saturday, 09-May-2026 02:15:31 JST
silverpill
@mariusor It is possible that the signature is incorrect, but my own verifier can verify the signature. I assume that my verifier is good enough because it is compatible with several known RFC-9421 implementers (fedify, tootik, etc).
Another data point: mastodon.social accepts my RFC-9421 signed POST request, returns 202.Components used in the signature base: @method, @target-uri, content-digest, @signature-params.
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Saturday, 09-May-2026 02:15:33 JST
marius
> I might use a locally cached version that's out of date
@silverpill it's not that, the key online matches the public key in cache.
Have you tested the key generation against some known vectors?
The only explanation I can come up with is that the signature is somehow incorrect... :(
(On my side I checked the verifier against the test examples given in the RFC9421, so I'm 90% confident the code should work as intended)
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Saturday, 09-May-2026 02:15:35 JST
silverpill
@mariusor Made another one.
The response is {"@context":"http://marius.federated.id/ns#errors","errors":{"status":401,"message":"authorized Actor is invalid"}}
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Saturday, 09-May-2026 02:15:35 JST
marius
@silverpill gaaah!! 😱
Thank you.The log is just telling me the signature failed verification:
err="actor IRI https://mitra.social/users/silverpill: verification failed: invalid signature: crypto/rsa: verification error"
Did you by any chance update your key recently? (I might use a locally cached version that's out of date, version in cache is since May 2025)
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Saturday, 09-May-2026 02:15:37 JST
marius
@silverpill damn, I didn't have debugging enabled after restarting the server. I found the request, but the errors are not very enlightening on signature check failure.
Could you do another one please. 🙇
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Saturday, 09-May-2026 04:42:05 JST
silverpill
@mariusor Sure, I'll prepare an example.
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Saturday, 09-May-2026 04:42:08 JST
marius
@silverpill ok, cool, that makes sense too.
Would it be too much trouble for you to create a minimum example that generates a signature using your libraries so I can adapt it to test on my dev setup?
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Sunday, 10-May-2026 03:20:58 JST
silverpill
RSA secret key: 3082013b020100024100e221e7c6506e8e3932e66fbf59cc580cd3ccdf688213426f1264144143d58e3d2c478d1cc93a1ab3c1c94cfc927e32f077fa6eb6fe0d59bb656e1c7613b1d53b020301000102404394a271f023ba3979eec842c5917e57070d594f2060a52010bcfc18ad2f2b7ca8b39e75179bd5abb3d161c8c0fe9053cd8de87ae84dd9dc3a84a2749040c261022100e3fd1ddb28613f9ead9869b392fa1f9d91bef1ab625605c968c72f5312ac77b3022100fdea673212cf6da2b1277b736a3b9f04662bb993d8754b1516e9a03010b6e85902205f1a54fbf8aa2869beac575b6b321f42116bff4fa8a38da268acbe16ff31267502210096da64650377e912f75d15a3044257bf2d545cf4d16d1e26716e6b9522d90841022100a960c9d14d424fb58de781aa700d8a838a46e5978cc74dcfdfb9dc16edfcf1ee request method: POST request body: {} request URI: https://verifier.example/inbox created: 1778314593 content-digest header: sha-256=:RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=: signature base: "@method": POST "@target-uri": https://verifier.example/inbox "content-digest": sha-256=:RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=: "@signature-params": ("@method" "@target-uri" "content-digest");keyid="https://signer.example/actor#main-key";created=1778314593;alg="rsa-v1_5-sha256" signature header: sig1=:gJWUQjvkEcdXc86ZC+kEWKhUyiExKQomXxWd9q8mzDSm9fE6XjsA+HCoNE9LP4RRCdwAHWZ6Zeou4WPjhxpPwQ==: signature-input header: sig1=("@method" "@target-uri" "content-digest");keyid="https://signer.example/actor#main-key";created=1778314593;alg="rsa-v1_5-sha256" -
Embed this notice
silverpill (silverpill@mitra.social)'s status on Sunday, 17-May-2026 06:37:58 JST
silverpill
@mariusor That's possible.
@target-uri is supposed to be an absolute URI. HTTP servers typically re-construct full URI using the Host and other headers. For example, I use this method: https://docs.rs/actix-web/latest/actix_web/dev/struct.ConnectionInfo.html#method.host
Hostname is resolved through the following, in order:
Forwarded header
X-Forwarded-Host header
Host header
request target / URI
configured server hostnameIf I don't configure my reverse proxy to set these headers, the full URI will be incorrect, leading to verification failure.
-
Embed this notice
marius (mariusor@metalhead.club)'s status on Sunday, 17-May-2026 06:38:00 JST
marius
@silverpill to come back to this, I have added both this example and one of your original requests to the unit-tests, and they both validate correctly.
So I still have no idea why this is failing in production. The only thing I can think of is the http proxy messing with the value of the "target-uri" parameter.
-
Embed this notice
silverpill (silverpill@mitra.social)'s status on Friday, 05-Jun-2026 01:12:13 JST
silverpill
@mariusor https://marius.federated.id still returns 401
{"@context":"http://marius.federated.id/ns#errors","errors":{"status":401,"message":"authorized Actor is invalid"}} -
Embed this notice
marius (mariusor@metalhead.club)'s status on Friday, 05-Jun-2026 01:12:14 JST
marius
https://metalhead.club/@mariusor/116691230280367219
@silverpill I wonder if this might have been also the culprit for why ONI was failing your otherwise correct RFC9421 signature requests.
:think_bread:
-
Embed this notice
All GNU social JP content and data are available under the