mirror of
https://github.com/svemagie/indiekit-endpoint-activitypub.git
synced 2026-04-02 15:44:58 +02:00
4298a6a307
The Fedify 2.0 migration added assertionMethods = keyPairs.map(k => k.multikey), which places the RSA Multikey (id: #main-key) into assertionMethod alongside the Ed25519 Multikey (id: #key-2). This creates a keyId collision: the RSA CryptographicKey in publicKey and the RSA Multikey in assertionMethod both use #main-key. Servers that traverse JSON-LD properties alphabetically (assertionMethod before publicKey) find the Multikey first — which lacks publicKeyPem — and return "public key not found". Fix: filter assertionMethods to only Ed25519 keys (Object Integrity Proofs). RSA keys already have their correct representation in publicKey (HTTP Signatures). This matches Mastodon's behavior and is semantically correct per the two key systems.