AppCenter Webhook请求的“签名无效”消息

时间:2019-02-28 09:09:40

标签: github-api visual-studio-app-center

我试图在GitHub API和AppCenter API之间编写代理服务,当我尝试重新路由标准GitHub API消息时,我收到“签名无效”响应。 这是我要发送的内容:

{
"ref": "refs/heads/xxxx",
"before": "xxxxxxxxxxxxx",
"after": "xxxxxxxxxxxxx",
"created": false,
"deleted": false,
"forced": false,
"base_ref": null,
"compare": "https://github.com/xxxxx",
"commits": [{
    "content": "xxxx"
}],
"head_commit": {
    "content": "xxxx"
},
"repository": {
    "content": "xxxx"
},
"pusher": {
    "content": "xxxx"
},
"organization": {
    "content": "xxxx"
},
"sender": {
    "content": "xxxx"
}

}

AppCenter的终结点是:

https://api.appcenter.ms/v0.1/public/apps/xxxxxxxxxxx/hooks

请求的标头是:

{
    "content-type": "application/json",
    "User-Agent": "GitHub-Hookshot/xxxxxxxx",
    "X-GitHub-Delivery": "xxxxxxxxxxxxxx",
    "X-GitHub-Event": "push",
    "X-Hub-Signature": "sha1=xxxxxxxxxxx"
}

这是我得到的答复:

{
    "id": "xxxxxxxxxxxxxxxx",
    "message": "Signature is invalid"
}

我尚未收到AppCenter的明智答复,希望有人已经有类似的经验并可以回答。 谢谢

1 个答案:

答案 0 :(得分:1)

我认为问题在于X-Hub-Signature的价值。从Validating payloads from Github起,Github在有效载荷数据和您在存储库的webhook部分中输入的秘密字符串之间使用HMAC SHA1:

enter image description here

签名格式(不带括号):

sha1={HMAC-SHA1(secret, payload)}

一些计算签名的示例:

  • 使用红宝石(来自here):

    signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_TOKEN'], payload_body)

  • 使用javascript(来自here):

    var signature = 'sha1=' + CryptoJS.HmacSHA1(payload, environment.secret).toString(CryptoJS.enc.Hex)
相关问题
最新问题