From b3c97fc701e54c23a90191927f66e934f10ffbac Mon Sep 17 00:00:00 2001
From: Alain St-Denis <alain@zenfolie.org>
Date: Sun, 5 Feb 2023 12:29:20 -0500
Subject: [PATCH 1/2] make sure requests are signed by a local user.

---
 federation/outbound.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/federation/outbound.py b/federation/outbound.py
index 67d31aa..dabab29 100644
--- a/federation/outbound.py
+++ b/federation/outbound.py
@@ -221,8 +221,10 @@ def handle_send(
                     }
                 )
                 continue
+            # The parent_user MUST be local
+            local_user = author_user if author_user.rsa_private_key else parent_user
             payloads.append({
-                "auth": get_http_authentication(author_user.rsa_private_key, f"{author_user.id}#main-key"),
+                "auth": get_http_authentication(local_user.rsa_private_key, f"{local_user.id}#main-key"),
                 "headers": {
                     "Content-Type": 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
                 },

From 5b560efded6984299f7e47020acf659312c50ee2 Mon Sep 17 00:00:00 2001
From: Alain St-Denis <alain@zenfolie.org>
Date: Mon, 6 Feb 2023 09:03:22 -0500
Subject: [PATCH 2/2] update changelog and doc string. django now throws a
 ModuleNotFound error when it's config can't be found. Catch it.

---
 CHANGELOG.md               | 2 ++
 federation/outbound.py     | 5 ++++-
 federation/utils/django.py | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a2a6e1..f1a902b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -55,6 +55,8 @@
 
 * Signatures are not verified and the corresponding payload is dropped if no public key is found.
 
+* Sign forwarded AP replies and shares with the target content author's private key. 
+
 ### Internal changes
 
 * Dropped python 3.6 support.
diff --git a/federation/outbound.py b/federation/outbound.py
index dabab29..ad695b8 100644
--- a/federation/outbound.py
+++ b/federation/outbound.py
@@ -132,7 +132,10 @@ def handle_send(
                      ]
     :arg parent_user: (Optional) User object of the parent object, if there is one. This must be given for the
                       Diaspora protocol if a parent object exists, so that a proper ``parent_author_signature`` can
-                      be generated. If given, the payload will be sent as this user.
+                      be generated. If given, the payload will be sent as this user. For Activitypub, the
+                      parent_user's private key will be used to generate the http signature if the author_user
+                      is not a local user.
+
     :arg payload_logger: (Optional) Function to log the payloads with.
     """
     payloads = []
diff --git a/federation/utils/django.py b/federation/utils/django.py
index 1181780..e4549fd 100644
--- a/federation/utils/django.py
+++ b/federation/utils/django.py
@@ -23,7 +23,7 @@ def get_configuration():
     }
     try:
         configuration.update(settings.FEDERATION)
-    except ImproperlyConfigured:
+    except (ModuleNotFoundError, ImproperlyConfigured):
         # Django is not properly configured, return defaults
         return configuration
     if not all([