A small Sinatra app to verify the webhook payload signature
Travis CI's webhook notification delivers a POST request to the specified endpoint a JSON payload as described.
In addition, the request comes with the custom HTTP header
This small Sinatra app shows how to verify the signature.
Verifying the signature
- Pick up the
payloaddata from the HTTP request's body.
- Obtain the
Signatureheader value, and base64-decode it.
- Obtain the public key corresponding to the private key that signed
the payload. This is available at the
config.notifications.webhook.public_keyon the relevant API server. (e.g., https://api.travis-ci.org/config)
- Verify the signature using the public key and SHA1 digest.