I am using GitHub as my code repositories. I created a webhook for one repository, so when any code change is pushed to this repository, GitHub notifies my app to compile the code. Before compiling the code in my application, I need verify the X-Hub-Signature in GitHub requests, here is what I did in python. I found the signature I computed with the key and payload alway didn't match with the one provided by GitHub. Any idea about this? Thanks!
import hmac
import hashlib
import pickle
def compile_code(request):
payload = pickle.dumps(request.DATA)
signature = hmac.new(APP_KEY, payload, hashlib.sha1).hexdigest()
if signature == request.META.get('X-Hub-Signature'):
do_compile_code()
else:
...
finally the correct way is
signature = 'sha1=' + hmac.new(APP_KEY, request.body, hashlib.sha1).hexdigest()
if signature == request.META.get('HTTP_X_HUB_SIGNATURE'):
do_something()
Example with hmac.compare_digest:
def is_valid_signature(self):
x_hub_sig = hmac.new(
self.github_hook_secret,
self.request.body,
hashlib.sha1
).hexdigest()
return hmac.compare_digest(
x_hub_sig,
self.x_hub_signature
)
def dispatch(self):
self.github_hook_secret = 'some-secret'
self.x_hub_signature = self.request.headers.get('X-Hub-Signature').replace('sha1=', '')
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With