Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better documentation for payload-hash-sha1 and payload-hash-sha256 #289

Open
computator opened this issue Dec 5, 2018 · 5 comments
Open

Better documentation for payload-hash-sha1 and payload-hash-sha256 #289

computator opened this issue Dec 5, 2018 · 5 comments

Comments

@computator
Copy link

@computator computator commented Dec 5, 2018

None of the documentation for payload-hash-sha1 references that it refers to a HMAC and not something else such as a plain sha1 hash. Documentation of support for payload-hash-sha256 is also missing entirely.

Depending on the level of backwards compatibility you wish to maintain, I might suggest that payload-hash-sha1 (and sha256) be renamed to payload-hmac-sha1, possibly leaving the old names as an alias for backward support.

@adnanh

This comment has been minimized.

Copy link
Owner

@adnanh adnanh commented Dec 14, 2018

I always forget GitHub doesn't send notifications for reactions...
I completely agree with you. 👍

@zoenglinghou

This comment has been minimized.

Copy link

@zoenglinghou zoenglinghou commented Jan 13, 2019

I am having trouble setting up this as well. I am not that familiar with this concept (although I do know how to do shasum256 in terminal). What is the correct way of setting this up? Should I put the secret in the hooks.json and send the hash of the secrete through the header?

I keep getting

Error occurred while evaluating hook rules.

Thanks ❤️

@adnanh

This comment has been minimized.

Copy link
Owner

@adnanh adnanh commented Jan 28, 2019

@CarlosEvo The way this works is that the sender calculates shasum256 of the body using the defined secret key, and sends the hash to you (usually via custom header, if you're using http(s) for transport).

On the receiving side, you calculate the shasum256 of the body you just received using the same secret key and you compare the calculated hash to the one you got from the header.

If it matches, that means the sender really knows the secret key, and you can trust that the payload hasn't been tampered with.

You can read more about digital signatures in general over at wikipedia.

@zoenglinghou

This comment has been minimized.

Copy link

@zoenglinghou zoenglinghou commented Jan 29, 2019

@adnanh Wow, appreciate for the information!

@adnanh

This comment has been minimized.

Copy link
Owner

@adnanh adnanh commented Jan 29, 2019

@CarlosEvo It's definitely an interesting topic, and can be applied in a lot of segments :-)

@moorereason moorereason added this to the 2.8.0 milestone Dec 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.