Github sha1 signature hash verify issues

[WestDiscGolf]

I have been trying to get the sha1 signature verification to work with the Github webhook for the past couple of days and it's driving me mad.

My Setup steps:

1. Create a new test end point at request bin
2. Setup a webhook on Github for a test repository - setting a user secret - pointing to the request bin end point -> this gets the ping response
3. Clone the repository and commit/push a test file change to get a push response on the webhook
4. Set the same user secret as in step 1 in secrets.json for the GithubCoreReceiver sample project
5. Using postman set X-Hub-Signature, X-Github-Delivery and X-Github-Event http headers with the values sent to the request bin end point

The secretKey is being read out of the secrets.json fine and runs through the var secret = Encoding.UTF8.GetBytes(secretKey); but the value calculated from the ComputeRequestBodySha1HashAsync does not match with the byte[] value converted from the sha1 value passed in the X-Hub-Signature header value.

What am I missing?

[mkArtakMSFT]

Hi. It looks like this is a question about how to use ASP.NET Core WebHooks. While we do our best to look through all the issues filed here, to get a faster response we suggest posting your questions to StackOverflow using the asp.net-core-mvc tag.

[mkArtakMSFT]

@dougbu, can you please look into this? Thanks!

[dougbu]

@WestDiscGolf it sounds like you're attempting to reuse the data RequestBin captured to test your deployed GithubCoreReceiver application. If so, are you sending exactly the same request body?

I recommend deploying your application in the cloud e.g. Azure and testing with live requests from your test GitHub repo. We've successfully done exactly that with the GithubCoreReceiver sample multiple times.

[WestDiscGolf]

@dougbu I'm passing in the body exactly as it appears from the request bin values including the header values, but no joy. I'm trying to get it working to allow for debugging local implementation :-( I did it for the Azure one fine. Its frustrating as it should be workable locally to allow for local development.

[dougbu]

The Azure receiver does not verify a signature of the request body.

For GitHub, use the raw body exactly as GitHub sent it. That data is not (say) JSON pretty-printed. Line terminations (Unix's \n versus HTTP's required (though servers are lenient) \r\n) are also important.

[WestDiscGolf]

I know the Azure one doesn't verify the post I was referring to testing it locally :-)

I copied the raw body from the request bin as is. I've tried application/json as well as the form posting value. I will try looking at the line endings.

How have you tested it in the development cycle? Has it been deployed and debugged remotely each time?

[dougbu]

Has it been deployed and debugged remotely each time?

Not every time. But definitely after non-trivial updates. And, if you're using the latest packages from https://dotnet.myget.org/gallery/aspnetcore-dev, we have made almost no changes since the last full verification.

Bottom line: If signature verification fails, the request body contains different bytes (most likely case), the X-Hub-Signature header is corrupt, or the configured secret key in your application does not match what GitHub used. Debugging may be required to figure it out.

[WestDiscGolf]

@dougbu thanks for the responses, appreciate you taking the time. Will take a look at the bytes :-)

[dougbu]

Thank you for your feedback. We're closing this issue as the questions asked here have been answered.

[WestDiscGolf]

More for reference if someone else comes across this issue in the future I have written up a blog post on how to run the Github webhook locally and validate the payload with the signature - https://adamstorr.azurewebsites.net/blog/aspnetcore-webhooks-running-the-github-webhook