Missing resident signature in `send_join` response
progval opened this issue · comments
Description
About the event
field in the send_join
response, the spec says:
Required if the room version supports restricted join rules. The signed copy of the membership event sent to other servers by the resident server, including the resident server’s signature.
However, it seems Synapse is not including its own signature in send_join
responses.
This is an issue for Conduit, which requires this signature to be present
Steps to reproduce
Send this request to matrix.org:
matrix.org PUT https://matrix.org/_matrix/federation/v2/send_join/%21YllBCgVdcoakoavZvX%3Arycee.net/@valtest:magnesium.test.progval.net
{
"auth_events": [
"$0pt22mJ5ZFjIdguJmKzZyBjhMQGEzOgtoe_3IwqE8KY",
"$LR-AN_TTZyWaFQ9mbw5mW4S_pWgOEx6yWGq49tQertc",
"$B8NBX6oUzLTq8OuFK_YvCJhqn2P_0fARY29XSZ6T3DA",
"$2KkS9P38uz-lNpJi17LlKuLwzTkC3j4OTNB0mZT3wqs"
],
"prev_events": [ "$2KkS9P38uz-lNpJi17LlKuLwzTkC3j4OTNB0mZT3wqs" ],
"type": "m.room.member",
"room_id": "!YllBCgVdcoakoavZvX:rycee.net",
"sender": "@valtest:magnesium.test.progval.net",
"content": { "membership": "join" },
"depth": 30072,
"state_key": "@valtest:magnesium.test.progval.net",
"origin": "matrix.org",
"origin_server_ts": 1701629808418,
"hashes": { "sha256": "04LiiqR+T60gMM4HAEsjt+todsfvia0m8LBdZ6eemO4" },
"signatures": {
"magnesium.test.progval.net": { "ed25519:key2": "DPxUXxcLoLKLjFSrei6AVMj9sx7AUXb0dJ6i7nGhemaeM0reqzX6pNJXFgzxkLmHP4mCP1Je5f9Xcq13Z8e/CA" }
}
}
and read the response:
{
"event": {
"auth_events": [
"$0pt22mJ5ZFjIdguJmKzZyBjhMQGEzOgtoe_3IwqE8KY",
"$LR-AN_TTZyWaFQ9mbw5mW4S_pWgOEx6yWGq49tQertc",
"$B8NBX6oUzLTq8OuFK_YvCJhqn2P_0fARY29XSZ6T3DA",
"$2KkS9P38uz-lNpJi17LlKuLwzTkC3j4OTNB0mZT3wqs"
],
"prev_events": [ "$2KkS9P38uz-lNpJi17LlKuLwzTkC3j4OTNB0mZT3wqs" ],
"type": "m.room.member",
"room_id": "!YllBCgVdcoakoavZvX:rycee.net",
"sender": "@valtest:magnesium.test.progval.net",
"content": { "membership": "join" },
"depth": 30072,
"state_key": "@valtest:magnesium.test.progval.net",
"origin": "matrix.org",
"origin_server_ts": 1701629808418,
"hashes": { "sha256": "04LiiqR+T60gMM4HAEsjt+todsfvia0m8LBdZ6eemO4" },
"signatures": {
"magnesium.test.progval.net": { "ed25519:key2": "DPxUXxcLoLKLjFSrei6AVMj9sx7AUXb0dJ6i7nGhemaeM0reqzX6pNJXFgzxkLmHP4mCP1Je5f9Xcq13Z8e/CA" }
},
"unsigned": { "replaces_state": "$2KkS9P38uz-lNpJi17LlKuLwzTkC3j4OTNB0mZT3wqs" }
}
// ...
}
Notice there is only the joining HS's signature and not matrix.org's.
Homeserver
matrix.org
Synapse Version
both on 1.95.1
and 1.96.1 (b=matrix-org-hotfixes,9c3b906b3a)
Installation Method
I don't know
Database
postgresql
Workers
Multiple workers
Platform
n/a
Configuration
No response
Relevant log output
n/a
Anything else that would be useful to know?
No response
Good spot---thank you.
Synapse's response comes from:
synapse/synapse/federation/federation_server.py
Lines 737 to 739 in 70b503f
Which calls get_dict
and hence should include any signatures already present on the event object. Will need to dig a little deeper to understand where the resident server's signature should be generated by Synapse.
I would guess we need code like
synapse/synapse/federation/federation_server.py
Lines 943 to 950 in 70b503f
Oh, actually we do have this logic: but we only seem to provide a signature when the /send_join is a restricted join (i.e. via a space):
synapse/synapse/federation/federation_server.py
Lines 925 to 932 in 70b503f
It might be that the text of the spec is misleading here? But then again, I don't understand why a nonrestricted join wouldn't require a signature either?