A small Sinatra app to verify the webhook payload signature
Ruby
Latest commit 9a4b339 Dec 15, 2016 @BanzaiMan BanzaiMan committed on GitHub Merge pull request #2 from crunis/fix_payload_retrieval
Fix payload retrieval

README.md

WebhookSignatureVerifier

A small Sinatra app to verify the webhook payload signature

Description

Travis CI's webhook notification delivers a POST request to the specified endpoint a JSON payload as described.

In addition, the request comes with the custom HTTP header Signature for the payload data.

This small Sinatra app shows how to verify the signature.

Verifying the signature

  1. Pick up the payload data from the HTTP request's body.
  2. Obtain the Signature header value, and base64-decode it.
  3. Obtain the public key corresponding to the private key that signed the payload. This is available at the /config endpoint's config.notifications.webhook.public_key on the relevant API server. (e.g., https://api.travis-ci.org/config)
  4. Verify the signature using the public key and SHA1 digest.