mo_ztt , 10 months ago

You shouldn’t have to… as I understand it, if it’s showing up on your server, that means your server authenticated it. Given the general flakiness of all this software and Lemmy in particular, I wouldn’t put too much reliability on that, but that’s the theory.

If you do want to double-check it yourself, I know partially how to do it. You don’t have to get the key from the database; it’s probably simpler and safer to get it from your user’s JSON. Here’s a super-basic script to dump a fediverse endpoint’s contents:

<span style="color:#323232;">import requests
</span><span style="color:#323232;">import json
</span><span style="color:#323232;">import sys
</span><span style="color:#323232;">
</span><span style="color:#323232;">def fetch_and_pretty_print(url, headers=None):
</span><span style="color:#323232;">    # If headers are not provided, set default to fetch ActivityPub content
</span><span style="color:#323232;">    if headers is None:
</span><span style="color:#323232;">        headers = {
</span><span style="color:#323232;">            'Accept': 'application/activity+json',
</span><span style="color:#323232;">            'User-Agent': 'Fediverse dump tool via @[email protected]'
</span><span style="color:#323232;">        }
</span><span style="color:#323232;">    
</span><span style="color:#323232;">    try:
</span><span style="color:#323232;">        response = requests.get(url, headers=headers)
</span><span style="color:#323232;">        response.raise_for_status()  # Raise an exception for HTTP errors
</span><span style="color:#323232;">
</span><span style="color:#323232;">        # Try to parse JSON and pretty print it
</span><span style="color:#323232;">        parsed_json = response.json()
</span><span style="color:#323232;">        print(json.dumps(parsed_json, indent=4, sort_keys=True))
</span><span style="color:#323232;">        
</span><span style="color:#323232;">    except requests.RequestException as e:
</span><span style="color:#323232;">        print(f"Error fetching the URL: {e}")
</span><span style="color:#323232;">    except json.JSONDecodeError:
</span><span style="color:#323232;">        print("Error decoding JSON.")
</span><span style="color:#323232;">
</span><span style="color:#323232;">if __name__ == '__main__':
</span><span style="color:#323232;">    fetch_and_pretty_print(sys.argv[1])
</span>

If I want to validate your comment, I would start by getting your public key via your user’s endpoint on your home server. I could save that script up above as fetch, then run python fetch https://lemmy.mindoki.com/u/Loulou, and in among with a bunch of other stuff I would see:

<span style="color:#323232;">    "publicKey": {
</span><span style="color:#323232;">        "id": "https://lemmy.mindoki.com/u/Loulou#main-key",
</span><span style="color:#323232;">        "owner": "https://lemmy.mindoki.com/u/Loulou",
</span><span style="color:#323232;">        "publicKeyPem": "-----BEGIN PUBLIC KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArRwWZneP9efCrsymHDE2nsJAHojjxE4A2Q3Hquwt7s/HPTAi3gKP7NKCRSH7XVPtGhieJdtDeoLMkitvZXCUXnS1pZArTYihuLeOwbB+JrAHZpWr1sYpazspUPvl3MhDAOOCCAnSeqsMNPNd8QX1TfnN/3Bp4PRVmp9E968L61h93L5N3B7VxZ37kbzKFXrhmU6qFQbAoVQvHtojCD6WqR2nMb84eJy5QBN+0SjvGR8LRE0iJZiwYvVXKNoEyOqr4Fw8YnELi3TYbfxX++0uXw97ne+/rFgaa/QVCSopUbHkuX/ZfjzCdBAI+aqXsbmYLgdxdRDHur0k53aCh3u0t/IDLnHQIDAQABn-----END PUBLIC KEY-----n"
</span><span style="color:#323232;">    },
</span>

I don’t know off the top of my head how you could navigate your way to the fediverse JSON for your comment, or how to verify its signature once you find it (I tried to get the post by dumping your user’s outbox and the lemmy_support community’s outbox, but neither of those worked the way I expected it to), but that all might be a helpful starting point. I know that according to the docs, anything that was created by your user and then federated is supposed to be signed with that key so that other servers can authenticate it.