Do not hardcode path to the user used for signed fetches spoofing

config/config.exs

@@ -365,6 +365,12 @@
   note_replies_output_limit: 5,
   sign_object_fetches: true,
   authorized_fetch_mode: false,
+  spoof_object_fetch_signatures: false,
+  spoofed_key: "-----BEGIN RSA PRIVATE KEY-----
+overwrite this with your internal.fetch key rippen from donor instance DB
+yes, just like that, newlines are important
+-----END RSA PRIVATE KEY-----",
+  spoofed_user: "https://funnydomain.example/internal/fetch",
   max_collection_objects: 50
 
 config :pleroma, :streamer,

lib/pleroma/object/fetcher.ex

@@ -3,7 +3,10 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Object.Fetcher do
+  @behaviour HTTPSignatures.Adapter
+
   alias Pleroma.HTTP
+  alias Pleroma.Keys
   alias Pleroma.Instances
   alias Pleroma.Maps
   alias Pleroma.Object
@@ -203,13 +206,31 @@ def fetch_object_from_id!(id, options \\ []) do
   defp make_signature(id, date) do
     uri = URI.parse(id)
 
-    signature =
+    spoofed_pem = Pleroma.Config.get([:activitypub, :spoofed_key])
+    # workaround for syntax shite disallowing me from defining signature in "if" block
+    spoofed_key = if Pleroma.Config.get([:activitypub, :spoof_object_fetch_signatures]) do
+      with {:ok, private_key, _} <- Keys.keys_from_pem(spoofed_pem) do
+        private_key
+      end
+    else
+      ""
+    end
+    spoofed_user = Pleroma.Config.get([:activitypub, :spoofed_user])
+
+    signature = if Pleroma.Config.get([:activitypub, :spoof_object_fetch_signatures]) do
+      HTTPSignatures.sign(spoofed_key, spoofed_user <> "#main-key", %{
+        "(request-target)": "get #{uri.path}",
+        host: uri.host,
+        date: date
+      })
+    else
       InternalFetchActor.get_actor()
       |> Signature.sign(%{
         "(request-target)": "get #{uri.path}",
         host: uri.host,
         date: date
       })
+    end
 
     {"signature", signature}
   end