I've been working on a basic little bot coded up for replying to ActivityPub posts: https://git.sr.ht/~technomancy/pengbot/tree/fedi/item/fedi/inbox.fnl

I've got the webfinger and profile bits loaded; that part's actually pretty straightforward, and gotosocial and masto both can recognize @pengbot (but the icon breaks in masto for some reason)

but getting the HTTP signatures? god what a slog

if anything's not perfect it's just like "you got it wrong", no description of why or how to fix it; super frustrating

if anyone familiar with HTTP signatures could take a look and spot what I'm doing wrong, that'd be awesome; I would really love to get this working and have a tiny framework to set up automated interactive fedi posts

turns out the reason my ActivityPub bot doesn't work is that I based my signing implementation on this post from mastodon's own blog, and they changed the way they accept signatures but didn't update the post: https://blog.joinmastodon.org/2018/06/how-to-implement-a-basic-activitypub-server/

I thought there was something sketchy about a signature that only signed the host, path, and timestamp to begin with and ignored the body!

daydreaming about the amazing world we could live in if you could make activitypub software that didn't need to implement that utterly batshit draft HTTP signatures RFC

this is a real thing that someone submitted as a real RFC: it has a "Signature" header that isn't actually the signature; it's a bespoke key/value comma list that contains the actual signature along with a bunch of other things that belong in a separate header but just got stuffed into "Signature" anyway like the list of headers being signed and the ID of the key doing the signing

and when it doesn't work, all you get is "no, you're wrong" instead of telling you how to fix it

I bet a lot of other people have done exactly what I'm doing and then hit these problems and then gave up because ... what else are you supposed to do?

my little bot is getting hammered by mastodon.social sending it Delete actions for random users that have never successfully interacted with it (because even if it tried to interact, m.s is rejecting the signatures for unknown reasons)

am I going to have to implement "block the huge badly-behaved servers" literally before I have a single working feature?

apparently there's an activitypub IRC channel on irc.w3.org; if you try to connect to the server and join it, it tells you that you're banned for no reason, which on the one hand is stupid and annoying but on the other hand ... seems to be pretty consistent with The ActivityPub Implementer Experience so far

I think I had better stop working on this activitypub bot because A) it is very unlikely at this point that I will be able to convince mastodon to accept the signatures as valid and B) it is very likely that it will continue to ruin my mood, and my opinion of mastodon

@technomancy yeah I had same experience with aws signature v4.

Basically the only way to get shit like this working is by starting from a known working implementation and using it to construct a test case that includes checkpoints at various steps in the process so you can get those helpful error messages that the real implementation can't give you