Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Failed to verify GitHub X-Hub-Signature in my application

Tags:

git

python

github

I am using GitHub as my code repositories. I created a webhook for one repository, so when any code change is pushed to this repository, GitHub notifies my app to compile the code. Before compiling the code in my application, I need verify the X-Hub-Signature in GitHub requests, here is what I did in python. I found the signature I computed with the key and payload alway didn't match with the one provided by GitHub. Any idea about this? Thanks!

import hmac
import hashlib
import pickle

def compile_code(request):
    payload = pickle.dumps(request.DATA)
    signature = hmac.new(APP_KEY, payload, hashlib.sha1).hexdigest()
    if signature == request.META.get('X-Hub-Signature'):
        do_compile_code()
    else:
        ...
like image 345
ucdream Avatar asked Dec 14 '22 17:12

ucdream


2 Answers

finally the correct way is

signature = 'sha1=' + hmac.new(APP_KEY, request.body, hashlib.sha1).hexdigest()
if signature == request.META.get('HTTP_X_HUB_SIGNATURE'):
    do_something()
like image 159
ucdream Avatar answered Feb 16 '23 01:02

ucdream


Example with hmac.compare_digest:

def is_valid_signature(self):
    x_hub_sig = hmac.new(
        self.github_hook_secret,
        self.request.body,
        hashlib.sha1
    ).hexdigest()

    return hmac.compare_digest(
        x_hub_sig,
        self.x_hub_signature
    )

def dispatch(self):
    self.github_hook_secret = 'some-secret'
    self.x_hub_signature = self.request.headers.get('X-Hub-Signature').replace('sha1=', '')
like image 28
chmoder Avatar answered Feb 15 '23 23:02

chmoder