Implement ActivityPub requests signing
Why are we doing this work
This is our final step to have our ActivityPub actors to be compatible with the Fediverse.
Mastodon requires HTTP signatures, which is yet an other standard, in order to make sure no spammer tries to impersonate a given server.
This is asymmetrical cryptography, with a private key and a public key, like ssh or pgp. We will need to implement both signing requests, and verifying them. This will be of considerable help when we'll want to have various GitLab instances communicate later in the epic.
Relevant links
Non-functional requirements
-
Documentation: -
Testing:
Implementation plan
-
figure out how to generate secret key in a GitLab instance or which one we make reuse -
implement request signing -
implement request verifying
Verification steps
When reaching this point, we will be compatible with Mastodon. So the best test is to run both GitLab and Mastodon locally, and make sure they can communicate.