Implement HTTP Message Signatures (RFC 9421)

According [their recent announcement][1] and the [related issue](https://github.com/mastodon/mastodon/issues/29905#issuecomment-2624340545) on their issue tracker, Mastodon will be implementing HTTP Message Signatures ([RFC 9421]) in the next two minor versions (4.4 and 4.5). Since Mastodon is the most widely-used fediverse software, we need to implement RFC 9421 to maintain compatibility.

## Background

- Mastodon currently uses Cavage HTTP Signatures ([draft-cavage-http-signatures-12])
- In Mastodon 4.4, they will add support for validating RFC 9421 signatures
- In Mastodon 4.5, they will start signing requests using RFC 9421

## Implementation requirements

### Double-knocking implementation

We need to implement [double-knocking] to maintain compatibility with servers using different HTTP signature versions:

1. First attempt: Try RFC 9421 signature
2. If rejected (HTTP 401): Fall back to Cavage HTTP Signatures
3. Handle both signature verification methods for incoming requests

### Core requirements

1. Implement RFC 9421 signature verification
2. Implement RFC 9421 signature generation
3. Maintain backwards compatibility with Cavage HTTP Signatures for other fediverse software
4. Add tests to verify correct signature generation and verification
5. Update documentation to reflect the new signature support

[1]: https://blog.joinmastodon.org/2025/02/trunk-tidbits-january-2025/
[RFC 9421]: https://www.rfc-editor.org/rfc/rfc9421
[draft-cavage-http-signatures-12]: https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures
[double-knocking]: https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement HTTP Message Signatures (RFC 9421) #208

Background

Implementation requirements

Double-knocking implementation

Core requirements

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development