feat: RSA key management for ActivityPub signing

- keys.py: Generate/load RSA-2048 keypairs, sign activities
- setup_keys.py: CLI to generate keys
- Real RsaSignature2017 signing (falls back to placeholder if no keys)
- Public key included in actor profile
- Private keys gitignored

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

keys.py

@@ -0,0 +1,119 @@
+"""
+Key management for ActivityPub signing.
+
+Keys are stored in DATA_DIR/keys/:
+- {username}.pem - Private key (chmod 600)
+- {username}.pub - Public key
+"""
+
+import base64
+import hashlib
+import json
+from datetime import datetime, timezone
+from pathlib import Path
+
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa, padding
+
+
+def get_keys_dir(data_dir: Path) -> Path:
+    """Get keys directory, create if needed."""
+    keys_dir = data_dir / "keys"
+    keys_dir.mkdir(parents=True, exist_ok=True)
+    return keys_dir
+
+
+def generate_keypair(data_dir: Path, username: str) -> tuple[str, str]:
+    """Generate RSA keypair for a user.
+
+    Returns (private_pem, public_pem)
+    """
+    keys_dir = get_keys_dir(data_dir)
+    private_path = keys_dir / f"{username}.pem"
+    public_path = keys_dir / f"{username}.pub"
+
+    # Generate key
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
+
+    # Serialize private key
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption()
+    ).decode()
+
+    # Serialize public key
+    public_pem = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo
+    ).decode()
+
+    # Save keys
+    private_path.write_text(private_pem)
+    private_path.chmod(0o600)
+    public_path.write_text(public_pem)
+
+    return private_pem, public_pem
+
+
+def load_private_key(data_dir: Path, username: str):
+    """Load private key for signing."""
+    keys_dir = get_keys_dir(data_dir)
+    private_path = keys_dir / f"{username}.pem"
+
+    if not private_path.exists():
+        raise FileNotFoundError(f"Private key not found: {private_path}")
+
+    private_pem = private_path.read_text()
+    return serialization.load_pem_private_key(
+        private_pem.encode(),
+        password=None
+    )
+
+
+def load_public_key_pem(data_dir: Path, username: str) -> str:
+    """Load public key PEM for actor profile."""
+    keys_dir = get_keys_dir(data_dir)
+    public_path = keys_dir / f"{username}.pub"
+
+    if not public_path.exists():
+        raise FileNotFoundError(f"Public key not found: {public_path}")
+
+    return public_path.read_text()
+
+
+def has_keys(data_dir: Path, username: str) -> bool:
+    """Check if keys exist for user."""
+    keys_dir = get_keys_dir(data_dir)
+    return (keys_dir / f"{username}.pem").exists()
+
+
+def sign_data(private_key, data: str) -> str:
+    """Sign data with private key, return base64 signature."""
+    signature = private_key.sign(
+        data.encode(),
+        padding.PKCS1v15(),
+        hashes.SHA256()
+    )
+    return base64.b64encode(signature).decode()
+
+
+def create_signature(data_dir: Path, username: str, domain: str, activity: dict) -> dict:
+    """Create RsaSignature2017 for an activity."""
+    private_key = load_private_key(data_dir, username)
+
+    # Create canonical JSON for signing
+    canonical = json.dumps(activity, sort_keys=True, separators=(',', ':'))
+
+    # Sign
+    signature_value = sign_data(private_key, canonical)
+
+    return {
+        "type": "RsaSignature2017",
+        "creator": f"https://{domain}/users/{username}#main-key",
+        "created": datetime.now(timezone.utc).isoformat(),
+        "signatureValue": signature_value
+    }