{"id":18582336,"url":"https://github.com/go-fed/httpsig","last_synced_at":"2025-04-04T07:08:18.093Z","repository":{"id":33586730,"uuid":"133571837","full_name":"go-fed/httpsig","owner":"go-fed","description":"Golang implementation of the HTTP Signatures RFC draft, with SSH support!","archived":false,"fork":false,"pushed_at":"2024-01-19T14:56:22.000Z","size":75,"stargazers_count":76,"open_issues_count":9,"forks_count":29,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-29T18:38:41.443Z","etag":null,"topics":["golang","golang-library","http","http-signature","http-signatures","httpsig","signatures","signing","ssh"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/go-fed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2018-05-15T20:49:36.000Z","updated_at":"2024-08-18T00:55:45.000Z","dependencies_parsed_at":"2023-12-24T16:02:05.444Z","dependency_job_id":"9245c8b7-fa87-4137-a9ce-6cf6ea62ac31","html_url":"https://github.com/go-fed/httpsig","commit_stats":{"total_commits":40,"total_committers":6,"mean_commits":6.666666666666667,"dds":"0.30000000000000004","last_synced_commit":"55836744818e5aee1c28fa283aec277dd7ab5d59"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-fed%2Fhttpsig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-fed%2Fhttpsig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-fed%2Fhttpsig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/go-fed%2Fhttpsig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/go-fed","download_url":"https://codeload.github.com/go-fed/httpsig/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247135144,"owners_count":20889421,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","golang-library","http","http-signature","http-signatures","httpsig","signatures","signing","ssh"],"created_at":"2024-11-07T00:10:38.383Z","updated_at":"2025-04-04T07:08:18.071Z","avatar_url":"https://github.com/go-fed.png","language":"Go","readme":"# httpsig\n\n\u003e HTTP Signatures made simple\n\n[![Build Status][Build-Status-Image]][Build-Status-Url] [![Go Reference][Go-Reference-Image]][Go-Reference-Url]\n[![Go Report Card][Go-Report-Card-Image]][Go-Report-Card-Url] [![License][License-Image]][License-Url]\n[![Chat][Chat-Image]][Chat-Url] [![OpenCollective][OpenCollective-Image]][OpenCollective-Url]\n\n`go get github.com/go-fed/httpsig`\n\nImplementation of [HTTP Signatures](https://tools.ietf.org/html/draft-cavage-http-signatures).\n\nSupports many different combinations of MAC, HMAC signing of hash, or RSA\nsigning of hash schemes. Its goals are:\n\n* Have a very simple interface for signing and validating\n* Support a variety of signing algorithms and combinations\n* Support setting either headers (`Authorization` or `Signature`)\n* Remaining flexible with headers included in the signing string\n* Support both HTTP requests and responses\n* Explicitly not support known-cryptographically weak algorithms\n* Support automatic signing and validating Digest headers\n\n## How to use\n\n`import \"github.com/go-fed/httpsig\"`\n\n### Signing\n\nSigning a request or response requires creating a new `Signer` and using it:\n\n```\nfunc sign(privateKey crypto.PrivateKey, pubKeyId string, r *http.Request) error {\n\tprefs := []httpsig.Algorithm{httpsig.RSA_SHA512, httpsig.RSA_SHA256}\n\tdigestAlgorithm := DigestSha256\n\t// The \"Date\" and \"Digest\" headers must already be set on r, as well as r.URL.\n\theadersToSign := []string{httpsig.RequestTarget, \"date\", \"digest\"}\n\tsigner, chosenAlgo, err := httpsig.NewSigner(prefs, digestAlgorithm, headersToSign, httpsig.Signature)\n\tif err != nil {\n\t\treturn err\n\t}\n\t// To sign the digest, we need to give the signer a copy of the body...\n\t// ...but it is optional, no digest will be signed if given \"nil\"\n\tbody := ...\n\t// If r were a http.ResponseWriter, call SignResponse instead.\n\treturn signer.SignRequest(privateKey, pubKeyId, r, body)\n}\n```\n\n`Signer`s are not safe for concurrent use by goroutines, so be sure to guard\naccess:\n\n```\ntype server struct {\n\tsigner httpsig.Signer\n\tmu *sync.Mutex\n}\n\nfunc (s *server) handlerFunc(w http.ResponseWriter, r *http.Request) {\n\tprivateKey := ...\n\tpubKeyId := ...\n\t// Set headers and such on w\n\ts.mu.Lock()\n\tdefer s.mu.Unlock()\n\t// To sign the digest, we need to give the signer a copy of the response body...\n\t// ...but it is optional, no digest will be signed if given \"nil\"\n\tbody := ...\n\terr := s.signer.SignResponse(privateKey, pubKeyId, w, body)\n\tif err != nil {\n\t\t...\n\t}\n\t...\n}\n```\n\nThe `pubKeyId` will be used at verification time.\n\n### Verifying\n\nVerifying requires an application to use the `pubKeyId` to both retrieve the key\nneeded for verification as well as determine the algorithm to use. Use a\n`Verifier`:\n\n```\nfunc verify(r *http.Request) error {\n\tverifier, err := httpsig.NewVerifier(r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tpubKeyId := verifier.KeyId()\n\tvar algo httpsig.Algorithm = ...\n\tvar pubKey crypto.PublicKey = ...\n\t// The verifier will verify the Digest in addition to the HTTP signature\n\treturn verifier.Verify(pubKey, algo)\n}\n```\n\n`Verifier`s are not safe for concurrent use by goroutines, but since they are\nconstructed on a per-request or per-response basis it should not be a common\nrestriction.\n\n[Build-Status-Image]: https://travis-ci.org/go-fed/httpsig.svg?branch=master\n[Build-Status-Url]: https://travis-ci.org/go-fed/httpsig\n[Go-Reference-Image]: https://pkg.go.dev/badge/github.com/go-fed/httpsig\n[Go-Reference-Url]: https://pkg.go.dev/github.com/go-fed/httpsig\n[Go-Report-Card-Image]: https://goreportcard.com/badge/github.com/go-fed/httpsig\n[Go-Report-Card-Url]: https://goreportcard.com/report/github.com/go-fed/httpsig\n[License-Image]: https://img.shields.io/github/license/go-fed/httpsig?color=blue\n[License-Url]: https://opensource.org/licenses/BSD-3-Clause\n[Chat-Image]: https://img.shields.io/matrix/go-fed:feneas.org?server_fqdn=matrix.org\n[Chat-Url]: https://matrix.to/#/!BLOSvIyKTDLIVjRKSc:feneas.org?via=feneas.org\u0026via=matrix.org\n[OpenCollective-Image]: https://img.shields.io/opencollective/backers/go-fed-activitypub-labs\n[OpenCollective-Url]: https://opencollective.com/go-fed-activitypub-labs\n","funding_links":["https://opencollective.com/go-fed-activitypub-labs"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgo-fed%2Fhttpsig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgo-fed%2Fhttpsig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgo-fed%2Fhttpsig/lists"}