PHPeerTube - A PHP‑based federated video platform, inspired by PeerTube.

Copyright (C) 2025 Lucentinian Works Co Ltd

HTTP Signature Verification

PHPeerTube requires ActivityPub requests to be signed using HTTP Signatures (Draft 8). The implementation looks for the Signature header in incoming POST requests to the Inbox.

Header Format

Signature: keyId="https://remote-instance.com/users/alice#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="Base64EncodedSignature..."

Example Signed Request

To test the Inbox, you cannot simply use curl with a static JSON body. You must send a signed request. Since curl does not support HTTP Signatures natively, you would typically use a script.

However, here is what the curl command would look like if you manually computed the signature:

# 1. Compute the signature string:
# (request-target): post /accounts/testuser/inbox
# host: phpeertube.ehehdada.com
# date: Fri, 02 Jan 2026 03:00:00 GMT

# 2. Sign it with RSA-SHA256 and your private key.
# 3. Base64 encode the signature.

curl -i -X POST \
     -H "Host: phpeertube.ehehdada.com" \
     -H "Date: Fri, 02 Jan 2026 03:00:00 GMT" \
     -H "Content-Type: application/activity+json" \
     -H 'Signature: keyId="https://remote.com/u/alice#main-key",algorithm="rsa-sha256",headers="(request-target) host date",signature="YOUR_COMPUTED_SIGNATURE"' \
     -d '{
        "@context": "https://www.w3.org/ns/activitystreams",
        "id": "https://remote.com/u/alice/follow/123",
        "type": "Follow",
        "actor": "https://remote.com/u/alice",
        "object": "http://phpeertube.ehehdada.com/accounts/testuser"
     }' \
     http://phpeertube.ehehdada.com/accounts/testuser/inbox

Expected Response

• 200 OK: Request accepted (signature valid or currently ignored in permissive mode).
• 202 Accepted: Request accepted for background processing.
• 401 Unauthorized: Invalid signature or missing parameters.