From 175ff369771ba0231c31c57821e2860f4474e238 Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Mon, 2 Feb 2026 11:06:05 +0100
Subject: [PATCH 1/4] Enable RFC 9421 signature by default

Change the default value of activitypub_rfc9421_signature from false to
true. The modern HTTP Message Signature standard (RFC 9421) is now used
by default instead of being opt-in.

This is safe because the plugin already has graceful fallback: if RFC
9421 fails (4xx response), it automatically retries with Draft Cavage
signature and caches incompatible hosts for one month.
---
 includes/class-options.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/class-options.php b/includes/class-options.php
index 54b04da7c1..c5fe565635 100644
--- a/includes/class-options.php
+++ b/includes/class-options.php
@@ -270,7 +270,7 @@ public static function register_settings() {
 			array(
 				'type'        => 'boolean',
 				'description' => 'Use RFC-9421 signature.',
-				'default'     => false,
+				'default'     => true,
 			)
 		);
 

From ab2eec7938a7d7a0d3d6d38fac45d62b891407c8 Mon Sep 17 00:00:00 2001
From: Automattic Bot <sysops+ghmatticbot@automattic.com>
Date: Mon, 2 Feb 2026 12:07:10 +0200
Subject: [PATCH 2/4] Add changelog

---
 .github/changelog/2859-from-description | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 .github/changelog/2859-from-description

diff --git a/.github/changelog/2859-from-description b/.github/changelog/2859-from-description
new file mode 100644
index 0000000000..fadf641815
--- /dev/null
+++ b/.github/changelog/2859-from-description
@@ -0,0 +1,4 @@
+Significance: patch
+Type: changed
+
+Enable RFC 9421 HTTP Message Signatures by default.

From f4d23132f07fb7a9705ce34bd8aa74c2adfb0078 Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Mon, 2 Feb 2026 11:09:17 +0100
Subject: [PATCH 3/4] Use string default '1' in get_option calls

The existing pattern uses string comparison with '1', so pass '1' as
the default to get_option() to ensure the setting is enabled when the
option doesn't exist in the database.
---
 includes/class-signature.php                         | 2 +-
 includes/wp-admin/class-advanced-settings-fields.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/class-signature.php b/includes/class-signature.php
index c3759a6539..42bfe848be 100644
--- a/includes/class-signature.php
+++ b/includes/class-signature.php
@@ -42,7 +42,7 @@ public static function sign_request( $args, $url ) {
 			return $args;
 		}
 
-		if ( '1' === \get_option( 'activitypub_rfc9421_signature' ) && self::could_support_rfc9421( $url ) ) {
+		if ( '1' === \get_option( 'activitypub_rfc9421_signature', '1' ) && self::could_support_rfc9421( $url ) ) {
 			$signature = new Http_Message_Signature();
 		} else {
 			$signature = new Http_Signature_Draft();
diff --git a/includes/wp-admin/class-advanced-settings-fields.php b/includes/wp-admin/class-advanced-settings-fields.php
index 5efa7aff77..d3dfc169fc 100644
--- a/includes/wp-admin/class-advanced-settings-fields.php
+++ b/includes/wp-admin/class-advanced-settings-fields.php
@@ -180,7 +180,7 @@ public static function render_authorized_fetch_field() {
 	 * Render RFC-9421 signature field.
 	 */
 	public static function render_rfc9421_signature_field() {
-		$value = \get_option( 'activitypub_rfc9421_signature', '0' );
+		$value = \get_option( 'activitypub_rfc9421_signature', '1' );
 		?>
 		<p>
 			<label>

From e564cf55a65c8697fa6a29643d5f19df5b4c454f Mon Sep 17 00:00:00 2001
From: Konstantin Obenland <obenland@gmx.de>
Date: Mon, 2 Feb 2026 11:15:46 +0100
Subject: [PATCH 4/4] Fix test to explicitly use Draft Cavage signature

The test_verify_http_signature_with_digest test was designed for Draft
Cavage signatures. With RFC 9421 now enabled by default, explicitly
disable it for this test since it doesn't set the $_SERVER variables
needed for RFC 9421 verification.
---
 tests/phpunit/tests/includes/class-test-signature.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/phpunit/tests/includes/class-test-signature.php b/tests/phpunit/tests/includes/class-test-signature.php
index ef4d56e131..af2ba05335 100644
--- a/tests/phpunit/tests/includes/class-test-signature.php
+++ b/tests/phpunit/tests/includes/class-test-signature.php
@@ -292,6 +292,9 @@ public function test_unsupported_ec_curve_for_hs2019() {
 	 * @covers ::verify_http_signature
 	 */
 	public function test_verify_http_signature_with_digest() {
+		// Ensure Draft Cavage signature is used for this test.
+		\update_option( 'activitypub_rfc9421_signature', '0' );
+
 		// Create a user and get their keypair.
 		$keys = Actors::get_keypair( 1 );
 
@@ -352,6 +355,7 @@ public function test_verify_http_signature_with_digest() {
 		$this->assertTrue( Signature::verify_http_signature( $request ) );
 
 		\remove_filter( 'activitypub_pre_http_get_remote_object', $mock_remote_key_retrieval );
+		\delete_option( 'activitypub_rfc9421_signature' );
 	}
 
 	/**