Github sha1 signature hash verify issues #251
Comments
Hi. It looks like this is a question about how to use ASP.NET Core WebHooks. While we do our best to look through all the issues filed here, to get a faster response we suggest posting your questions to StackOverflow using the asp.net-core-mvc tag. |
@dougbu, can you please look into this? Thanks! |
@WestDiscGolf it sounds like you're attempting to reuse the data RequestBin captured to test your deployed GithubCoreReceiver application. If so, are you sending exactly the same request body? I recommend deploying your application in the cloud e.g. Azure and testing with live requests from your test GitHub repo. We've successfully done exactly that with the GithubCoreReceiver sample multiple times. |
@dougbu I'm passing in the body exactly as it appears from the request bin values including the header values, but no joy. I'm trying to get it working to allow for debugging local implementation :-( I did it for the Azure one fine. Its frustrating as it should be workable locally to allow for local development. |
The Azure receiver does not verify a signature of the request body. For GitHub, use the raw body exactly as GitHub sent it. That data is not (say) JSON pretty-printed. Line terminations (Unix's |
I know the Azure one doesn't verify the post I was referring to testing it locally :-) I copied the raw body from the request bin as is. I've tried application/json as well as the form posting value. I will try looking at the line endings. How have you tested it in the development cycle? Has it been deployed and debugged remotely each time? |
Not every time. But definitely after non-trivial updates. And, if you're using the latest packages from https://dotnet.myget.org/gallery/aspnetcore-dev, we have made almost no changes since the last full verification. Bottom line: If signature verification fails, the request body contains different |
@dougbu thanks for the responses, appreciate you taking the time. Will take a look at the bytes :-) |
Thank you for your feedback. We're closing this issue as the questions asked here have been answered. |
More for reference if someone else comes across this issue in the future I have written up a blog post on how to run the Github webhook locally and validate the payload with the signature - https://adamstorr.azurewebsites.net/blog/aspnetcore-webhooks-running-the-github-webhook |
I have been trying to get the sha1 signature verification to work with the Github webhook for the past couple of days and it's driving me mad.
My Setup steps:
The
secretKey
is being read out of the secrets.json fine and runs through thevar secret = Encoding.UTF8.GetBytes(secretKey);
but the value calculated from theComputeRequestBodySha1HashAsync
does not match with the byte[] value converted from the sha1 value passed in the X-Hub-Signature header value.What am I missing?
The text was updated successfully, but these errors were encountered: