A small Sinatra app to verify the webhook payload signature
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
.gitignore
.travis.yml
Gemfile
Gemfile.lock
LICENSE
Procfile
README.md
config.ru

README.md

WebhookSignatureVerifier

A small Sinatra app to verify the webhook payload signature

Description

Travis CI's webhook notification delivers a POST request to the specified endpoint a JSON payload as described.

In addition, the request comes with the custom HTTP header Signature for the payload data.

This small Sinatra app shows how to verify the signature.

Verifying the signature

  1. Pick up the payload data from the HTTP request's body.
  2. Obtain the Signature header value, and base64-decode it.
  3. Obtain the public key corresponding to the private key that signed the payload. This is available at the /config endpoint's config.notifications.webhook.public_key on the relevant API server. (e.g., https://api.travis-ci.org/config)
  4. Verify the signature using the public key and SHA1 digest.