Ok, this issue have been raised twice, but i got an use-case that i don't know how to handle without the raw POST data.
If you use PubSubHubbub api, you can can give a secret, and any data that you will receive will be signed:
To verify the signature, i think it should be something like:
from hashlib import sha1
signature = 'sha1:' + hmac.new(my_secret, request.data, sha1).hex_digest()
I've tried to use json.dumps(request.form) to get the initial raw data, but it doesn't work, maybe cause of a space or a line break.
(The real use case here is using the PubSubHubbub hook from Github, to get a CIA.vc like service)
Here is an example of request received from github, with the secret 'aoserchsr989898h': http://requestb.in/153mbk31
The correct solution here is to wrap the stream and to do the sha1 as you go. I will add an example to the docs.