@chocobozzz@framapiaf.org I have a question for you... I'm seeing in Are we HS2019 yet? that Peertube and Misskey both use your package: peertube/http-signature
NodeBB currently rolls its own cavage-12 support but and I did some preliminary research into updating to the latest HTTP Signatures draft, but quickly got overwhelmed.
For a variety of reasons, but mainly to avoid NIH, I'd consider switching to a dependency.
My question is: does your library support verification for non-hs2019 signatures, or will I need to invoke your library in front, and fall back to existing cavage-12 verification otherwise?
I suppose, same question re: double-knocking.
Hi,
My answer seems to not have been received here so I copy the link: https://framapiaf.org/[@Chocobozzz](https://activitypub.space/user/chocobozzz)/116577305060483143
@Chocobozzz thanks! I'll take a look at the library you linked to.
Also I'll figure out why your message didn't come through 🤔
@julian Hi,
In fact peertube doesn't use this library anymore. We switched to https://github.com/misskey-dev/node-http-message-signatures
Ironically, Misskey still uses @peertube/http-signature.
The former dev of misskey-dev/node-http-message-signatures expressed concerns about the maintenance status of the library: https://github.com/Chocobozzz/PeerTube/issues/7372
However, upon reviewing it, I found no issues or security considerations with the library. @peertube/http-signature (based on https://github.com/TritonDataCenter/node-http-signature) isn't really maintained either
Thanks @chocobozzz@framapiaf.org for the explanation. It does seem like the library is still usable.
In a separate thread, @mradcliffe@nokoto.org mentioned that he had a PR/branch that introduced RFC 9421 support:
https://nokoto.org/user/3/replies/317
It looks like you're the maintainer... would you be open to having that merged if someone (aka me) implements and tests it?