The signature is invalid.

[swampthang]

Really excited to find this! Hope you can point out my error.

Mac OS 10.13.6
Laravel framework 5.8.35
Valet server using 'valet share' to create testing URL locally.

I'm testing locally using a github webhook. In webhook-client.php I have the following:

'signature_header_name' => 'X-Hub-Signature',

.env entry is (for testing):

WEBHOOK_CLIENT_SECRET=aCrazyMixedUpSecret

Github webhooks send headers to include the signature like this:

X-Hub-Signature: sha1=3fd37bf5a7bdd77c41c1c1954a83fb1936c10624

So, in the DefaultSignatureValidator.php class, I changed the isValid function to replace the sha1= part of the string and also set the algo parameter to be sha1 and logged it like:

public function isValid(Request $request, WebhookConfig $config): bool
{
    $signature = $request->header($config->signatureHeaderName);
    $signature = trim(str_replace("sha1=", "", $signature));

    if (! $signature) {
        return false;
    }

    $signingSecret = $config->signingSecret;

    if (empty($signingSecret)) {
        throw WebhookFailed::signingSecretNotSet();
    }

    logger(hash('sha1',$signingSecret));

    $computedSignature = hash_hmac('sha1', $signature, $signingSecret);
    logger($computedSignature);
    return hash_equals($signature, $computedSignature);
}

The log file shows that the 2 hashes are clearly different but I can't figure out why.

Here's the section in the log file showing the debug logger trace followed by the error and the top 3 lines in stacktrace.

[2019-09-04 19:56:47] local.DEBUG: 2875a4a6d743dd08f056b6af8fea43745cf29687  
[2019-09-04 19:56:47] local.DEBUG: da6e7ae92bb6611e7b6a4aec9e3a8a20e260b257  
[2019-09-04 19:56:47] local.ERROR: The signature is invalid. {"exception":"[object] (Spatie\\WebhookClient\\Exceptions\\WebhookFailed(code: 0): The signature is invalid. at /Users/apppath/vendor/spatie/laravel-webhook-client/src/Exceptions/WebhookFailed.php:11)
[stacktrace]
#0 /Users/apppath/vendor/spatie/laravel-webhook-client/src/WebhookProcessor.php(44): Spatie\\WebhookClient\\Exceptions\\WebhookFailed::invalidSignature()
#1 /Users/apppath/vendor/spatie/laravel-webhook-client/src/WebhookProcessor.php(28): Spatie\\WebhookClient\\WebhookProcessor->ensureValidSignature()
#2 /Users/apppath/vendor/spatie/laravel-webhook-client/src/WebhookController.php(11): Spatie\\WebhookClient\\WebhookProcessor->process()

Scratching my head. Anything you can point out that I might be doing wrong would be greatly appreciated.

[swampthang]

Ok, I'm an idiot. I changed it to this and fixed it.

public function isValid(Request $request, WebhookConfig $config): bool
    {
        $signature = $request->header($config->signatureHeaderName);
        if (! $signature) {
            return false;
        }
        $signature = trim(str_replace("sha1=", "", $signature));
        $signingSecret = $config->signingSecret;

        if (empty($signingSecret)) {
            throw WebhookFailed::signingSecretNotSet();
        }
        $computedSignature = hash_hmac('sha1', $request->getContent(), $signingSecret);
        return hash_equals($signature, $computedSignature);
    }

I didn't realize that github was hashing the entire contents even though your function clearly shows handling it that way. Closing this.