Unable to validate X-Hub-Signature-256 from webhook #24646
-
I have set up a github webhook with content type as application/json and have provided a secret. My java code generates the different hash than what github provides. Any help will be highly appreciated. Thanks in advance. Java code:
|
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 1 reply
-
This is resolved. when I was copying payload it was adding some formatting chars (\n, \t) due to which payload was getting modified. It worked after stripping those. |
Beta Was this translation helpful? Give feedback.
-
even after removing formatting chars i couldnt generate correct signature |
Beta Was this translation helpful? Give feedback.
-
@madhumithra Can you share more details such as how you have configured webhooks and code you are using to verify those? |
Beta Was this translation helpful? Give feedback.
-
Hello I have the same problem.
|
Beta Was this translation helpful? Give feedback.
-
Bumping this instead of making a new discussion. I am also having trouble validating hashes properly. I am working with python and using the flask framework for my server. @app.route("/github_webhook", methods=["POST"])
def github_webhook():
if "X-Hub-Signature-256" in request.headers:
compute_hash = hmac.new(github_secret, request.data, digestmod="sha256").hexdigest()
if hmac.compare_digest(request.headers["X-Hub-Signature-256"], f"sha256={compute_hash}"):
return "webhook hash validated!", 202
return "webhook hash does not match!", 401 This code always results in a failure to match the hashes from actual webhooks sent by github. Testing locally and using postman to send the POST requests, i managed to get this to work IF i sent the request using the hash and json copy and pasted from the real github request except put all the json on a single line and removed all the white space between arrays in the json body (so basically minifying the json payload) But the github webhooks recent deliveries tab shows the payload as pretty printed. Is this actually what the payload looks like when github creates the hash? there definitely seems to be a difference with how github is sending the payload, and how flask creates the |
Beta Was this translation helpful? Give feedback.
-
FYI, Scala implementation (requires Java 17+ for the def generateHMAC(sharedSecret: String, data: String): String = {
val secret = new SecretKeySpec(sharedSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256")
val mac = Mac.getInstance("HmacSHA256")
mac.init(secret)
val hash = mac.doFinal(data.getBytes(StandardCharsets.UTF_8))
HexFormat.of.formatHex(hash)
} |
Beta Was this translation helpful? Give feedback.
This is resolved. when I was copying payload it was adding some formatting chars (\n, \t) due to which payload was getting modified. It worked after stripping those.