Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't verify webhook signature #4233

Closed
2 of 6 tasks
liogate opened this issue Mar 3, 2017 · 6 comments
Closed
2 of 6 tasks

Can't verify webhook signature #4233

liogate opened this issue Mar 3, 2017 · 6 comments

Comments

@liogate
Copy link

liogate commented Mar 3, 2017
edited

  • Gogs version (or commit ref): 10.1
  • Git version: 2.11.0
  • Operating system: Docker
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • SQLite
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist (usually found in log/gogs.log):

Description

Sorry to create this issue but when I receive webhook on my php script I can't verify signature. It seems method used by Gogs to calculate signature is not the same has below. Could it be great to give more details/examples on documentation ?

<?php
define('APP_SECRET', 'xxxxx');

function verify_webhook($data, $hmac_header)
{
	$calculated_hmac = hash_hmac('sha256', $data, APP_SECRET, false);
	return ($hmac_header == $calculated_hmac);
}

$hmac_header = $_SERVER['X-Gogs-Signature'];
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);

Thank you for your help !
@unknwon
Copy link
Member

unknwon commented Mar 3, 2017

Hi, does verify_webhook returns string format hex digest?

Can you provide:

  1. Payload you received
  2. Gogs signature
  3. Result from verify_webhook

So I can try to diagnose possible problems.

@unknwon unknwon added the status: needs feedback Tell me more about it label Mar 3, 2017
@liogate
Copy link
Author

liogate commented Mar 3, 2017
edited

Hi again !

Key used (don't worry it was only for test purposes)

48dk7eGJ

Signature

2c1e24122b6697f6683589e3d37e215b53f94a913734ad12bd5033056872d7d7

Result of verify_webhook

Value is false.
$calculated_hmac returns:
30e625634231df3229e55fcff7d972a71178aee5a5c9cc801cf627366032f527

Payload

{
  "ref": "refs/heads/master",
  "before": "fd9375523bf5fac258594ddfa790c09b1af44951",
  "after": "68885af8c4e894ea05889e854486f022b6cb3fb2",
  "compare_url": "https://git.heavydev.fr/Treeminder/portal/compare/fd9375523bf5fac258594ddfa790c09b1af44951...68885af8c4e894ea05889e854486f022b6cb3fb2",
  "commits": [
    {
      "id": "68885af8c4e894ea05889e854486f022b6cb3fb2",
      "message": "User auth enabled\n",
      "url": "https://git.heavydev.fr/Treeminder/portal/commit/68885af8c4e894ea05889e854486f022b6cb3fb2",
      "author": {
        "name": "Etienne Fachaux",
        "email": "etienne@fachaux.fr",
        "username": "etienne.fachaux"
      },
      "committer": {
        "name": "Etienne Fachaux",
        "email": "etienne@fachaux.fr",
        "username": "etienne.fachaux"
      },
      "timestamp": "2017-03-03T21:20:26Z"
    }
  ],
  "repository": {
    "id": 49,
    "owner": {
      "id": 29,
      "login": "Treeminder",
      "full_name": "Treeminder",
      "email": "",
      "avatar_url": "https://git.heavydev.fr/avatars/29",
      "username": "Treeminder"
    },
    "name": "portal",
    "full_name": "Treeminder/portal",
    "description": "Portail captif permettant aux utilisateurs de Treeminder de s'authentifier sur les points d'accès wifi.",
    "private": true,
    "fork": false,
    "html_url": "https://git.heavydev.fr/Treeminder/portal",
    "ssh_url": "git@git.heavydev.fr:Treeminder/portal.git",
    "clone_url": "https://git.heavydev.fr/Treeminder/portal.git",
    "website": "",
    "stars_count": 0,
    "forks_count": 0,
    "watchers_count": 2,
    "open_issues_count": 0,
    "default_branch": "master",
    "created_at": "2017-03-01T19:41:25Z",
    "updated_at": "2017-03-03T18:57:59Z"
  },
  "pusher": {
    "id": 1,
    "login": "etienne.fachaux",
    "full_name": "Etienne Fachaux",
    "email": "etienne@fachaux.fr",
    "avatar_url": "https://git.heavydev.fr/avatars/1",
    "username": "etienne.fachaux"
  },
  "sender": {
    "id": 1,
    "login": "etienne.fachaux",
    "full_name": "Etienne Fachaux",
    "email": "etienne@fachaux.fr",
    "avatar_url": "https://git.heavydev.fr/avatars/1",
    "username": "etienne.fachaux"
  }
}

More

image

Thanks for your feedback !

@unknwon
Copy link
Member

unknwon commented Mar 3, 2017

Hi, if I use http://beautifytools.com/hmac-generator.php to generate hex digest from given payload and secret, I get the same value as Gogs. And from its website's URL, I think it is also written in PHP?

@unknwon
Copy link
Member

unknwon commented Mar 4, 2017

image

I think there is something wrong with your file php://input?

I'm using:

➜  test php --version
PHP 5.6.28 (cli) (built: Dec  6 2016 12:38:54)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

@liogate
Copy link
Author

liogate commented Mar 4, 2017

Hi,
I found the problem, sorry for the inconvenience. My windows system convert my file payload.txt to CRLF format when i'm trying to edit them...

image

Thanks again for all your amazing work !

@liogate liogate closed this as completed Mar 4, 2017
@unknwon
Copy link
Member

unknwon commented Mar 4, 2017

👍 good to find out the problem!

@unknwon unknwon removed the status: needs feedback Tell me more about it label Mar 4, 2017
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@unknwon @liogate