Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Gogs-Signature does not match blob signature #336

Closed
CarreraPHP opened this issue Jan 18, 2018 · 8 comments · Fixed by #369
Closed

X-Gogs-Signature does not match blob signature #336

CarreraPHP opened this issue Jan 18, 2018 · 8 comments · Fixed by #369
Assignees
@jkuri
Labels
Priority: High Type: Bug Type: Question

Comments

@CarreraPHP
Copy link

Hi, I am unable to build my repositiory in gogs by configuring webhooks due to the "X-Gogs-Signature does not match blob signature" issue.

Below are the sample secret and payload:

secret:

"5IK/wqTT8ZgCtzWwvkg2yorTSmfBB0K4HfYZW"

payload:

{
    "ref": "refs/heads/master",
    "before": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
    "after": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
    "compare_url": "",
    "commits": [
        {
            "id": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
            "message": "add abstruse yml config file\n",
            "url": "http://10.1.59.112:3000/Hexaware/generator-jhipster/commit/d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
            "author": {
                "name": "Yogesh Surendran",
                "email": "[email protected]",
                "username": ""
            },
            "committer": {
                "name": "Yogesh Surendran",
                "email": "[email protected]",
                "username": ""
            },
            "added": [
                ".abstruse.yml"
            ],
            "removed": [],
            "modified": [
                "package.json"
            ],
            "timestamp": "0001-01-01T00:00:00Z"
        }
    ],
    "repository": {
        "id": 1,
        "owner": {
            "id": 2,
            "login": "Hexaware",
            "full_name": "",
            "email": "",
            "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
            "username": "Hexaware"
        },
        "name": "generator-jhipster",
        "full_name": "Hexaware/generator-jhipster",
        "description": "generator-jhipster",
        "private": true,
        "fork": false,
        "parent": null,
        "empty": false,
        "mirror": false,
        "size": 27524096,
        "html_url": "http://10.1.59.112:3000/Hexaware/generator-jhipster",
        "ssh_url": "[email protected]:Hexaware/generator-jhipster.git",
        "clone_url": "http://10.1.59.112:3000/Hexaware/generator-jhipster.git",
        "website": "",
        "stars_count": 0,
        "forks_count": 0,
        "watchers_count": 7,
        "open_issues_count": 0,
        "default_branch": "master",
        "created_at": "2017-12-09T20:38:00+05:30",
        "updated_at": "2017-12-09T20:38:00+05:30"
    },
    "pusher": {
        "id": 1,
        "login": "root",
        "full_name": "Yogesh Surendran",
        "email": "[email protected]",
        "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
        "username": "root"
    },
    "sender": {
        "id": 1,
        "login": "root",
        "full_name": "Yogesh Surendran",
        "email": "[email protected]",
        "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
        "username": "root"
    }
}

When i am testing the Signature generated using the hmac-generator i am getting signature as f5664835e27d0843c3db1dfcba44a197b9e73bd26cab1714fae7cb2d06e787ec(same as gogs) which doesn't match the signature e60f459c1456f9c643dc050516af549990f5a48fede961b2bf9ef503ed35d96a obtain from "crypto.createHmac" used in (verifyGogsWebhook)[https://github.com/bleenco/abstruse/blob/master/src/api/webhooks.ts]. Below is sample code for generating signature from above payload and secret.

nodejs:

"v8.6.0"

code:

var crypto = require('crypto');
var secret = "5IK/wqTT8ZgCtzWwvkg2yorTSmfBB0K4HfYZW";
var payload = {
    "ref": "refs/heads/master",
    "before": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
    "after": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
    "compare_url": "",
    "commits": [
      {
        "id": "d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
        "message": "add abstruse yml config file\n",
        "url": "http://10.1.59.112:3000/domain/generator-jhipster/commit/d8e779b7d57e7f1331993fd8d292b1fbbcda87d4",
        "author": {
          "name": "Yogesh Surendran",
          "email": "[email protected]",
          "username": ""
        },
        "committer": {
          "name": "Yogesh Surendran",
          "email": "[email protected]",
          "username": ""
        },
        "added": [
          ".abstruse.yml"
        ],
        "removed": [],
        "modified": [
          "package.json"
        ],
        "timestamp": "0001-01-01T00:00:00Z"
      }
    ],
    "repository": {
      "id": 1,
      "owner": {
        "id": 2,
        "login": "domain",
        "full_name": "",
        "email": "",
        "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
        "username": "domain"
      },
      "name": "generator-jhipster",
      "full_name": "domain/generator-jhipster",
      "description": "generator-jhipster",
      "private": true,
      "fork": false,
      "parent": null,
      "empty": false,
      "mirror": false,
      "size": 27524096,
      "html_url": "http://10.1.59.112:3000/domain/generator-jhipster",
      "ssh_url": "[email protected]:domain/generator-jhipster.git",
      "clone_url": "http://10.1.59.112:3000/domain/generator-jhipster.git",
      "website": "",
      "stars_count": 0,
      "forks_count": 0,
      "watchers_count": 7,
      "open_issues_count": 0,
      "default_branch": "master",
      "created_at": "2017-12-09T20:38:00+05:30",
      "updated_at": "2017-12-09T20:38:00+05:30"
    },
    "pusher": {
      "id": 1,
      "login": "root",
      "full_name": "Yogesh Surendran",
      "email": "[email protected]",
      "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
      "username": "root"
    },
    "sender": {
      "id": 1,
      "login": "root",
      "full_name": "Yogesh Surendran",
      "email": "[email protected]",
      "avatar_url": "http://10.1.59.112:3000/img/avatar_default.png",
      "username": "root"
    }
  };

console.log(crypto.createHmac('sha256', secret).update(JSON.stringify(payload)).digest('hex'));

Currently, I unable to proceed further as the signature generator from gogs match with online hmac tools but doesnt match with nodejs crpyto based signature. could nodejs version be a problem? could "CRLF"/ "LF" mismatch be a problem? I need support/direction for the issue.
@jkuri
Copy link
Contributor

jkuri commented Jan 18, 2018 via email

@CarreraPHP
Copy link
Author

@jkuri, I went through the test folder but i couldn't find it helpful or atleast i believe i am not able to do what u are expecting. Let me fork the project and run the test cases and see if they are passing.

@jkuri
Copy link
Contributor

jkuri commented Jan 19, 2018

@CarreraPHP I now exactly know what you mean.
I installed gogs locally and tried to configure it myself. Came to exact same issue as you did and also manually comparing hashes that abstruse/gogs generate.
No matter if I json.stringify payload or not I am not getting the same hash signature as gogs generate. Please, if you figure it out what is happening here let me know and we can fix this together.

@jkuri jkuri self-assigned this Jan 19, 2018
@irmana
Copy link
Contributor

irmana commented Feb 27, 2018

@CarreraPHP can you give us any feedback whether this issue is resolved? Thanks.

@RainKolwa
Copy link

Same problem here.I found in gogs the signature is generated by the below code:

var signature string
if len(w.Secret) > 0 {
  data, err := payloader.JSONPayload()
  if err != nil {
    log.Error(2, "prepareWebhooks.JSONPayload: %v", err)
  }
  sig := hmac.New(sha256.New, []byte(w.Secret))
  sig.Write(data)
  signature = hex.EncodeToString(sig.Sum(nil))
}

I doubt that the error message has sth to do with the format of the payload.

@jkuri
Copy link
Contributor

jkuri commented Apr 29, 2018

no, error message does nothing with the calculation of signature. I am wondering if JSON payload is somehow different from the payload that is eventually being sent via webhook. I will investigate on that right now and try to solve this issue once and for all. @RainKolwa if you came up with something in the meanwhile, please let me know.

@jkuri jkuri mentioned this issue Apr 29, 2018
Merged
@jkuri
Copy link
Contributor

jkuri commented Apr 29, 2018

@RainKolwa, @CarreraPHP I found the catch about that issue.
I needed to stringify JSON payload with two spaces before calculating signature. Now calculation seems to be valid.

@RainKolwa can you check #369 if it also works for you please? I will merge it then.

jkuri added a commit that referenced this issue Apr 29, 2018
@jkuri
fix(gogs): fix formatting JSON payload before calculating signature (c…
0552fb5 
…loses #336)
@RainKolwa
Copy link

@jkuri It works for me now. thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkuri jkuri

Labels
Priority: High Type: Bug Type: Question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(gogs): fix formatting JSON payload before calculating signature
4 participants
@CarreraPHP @jkuri @irmana @RainKolwa