Mender Webhook Signature

I’ve been attempting to implement a webhook server integration.

I’m able to setup the webhook fine, but I am unable to authenticate with the X-men-signature header.

re: Webhooks | Mender documentation

If you specify a secret, an integrity check is calculated and located in the X-Men-Signature-Payload header, which contains the HMAC-SHA256 of the payload using the configured secret.

First, it seems there is no X-Men-Signature-Payload header, but I’ve assumed this to be the X-Men-Signature header that is associated with the request.

Now for my issue, I setup a test webhook integration with a simple hex string secret, say abcd. On my server, I sign the payload with hmac-256 using the abcd secret as the key.

In a flask server (python 3.10) this looks like:

    signature = request.headers["X-Men-Signature"]
    secret = get_mender_webhook_secret()
    payload = request.get_data()
    message_hmac = hmac.new(secret.encode(), msg=payload, digestmod=hashlib.sha256)
    valid = hmac.compare_digest(message_hmac.hexdigest(), signature.encode())

However, the hmac hexdigest does not match the signature from the request headers.

What am I doing wrong?

I found the solution with the help of my team, and parsing through the mender source.

the secret first needs to be decoded as hex: base64.b16decode(get_mender_webhook_secret())

so a working version of the above code is:

signature = request.headers["X-Men-Signature"]
    secret = base64.b16decode(get_mender_webhook_secret())
    payload = request.get_data()
    message_hmac = hmac.new(secret, msg=payload, digestmod=hashlib.sha256)
    valid = hmac.compare_digest(message_hmac.hexdigest(), signature.encode())

Thanks a lot for sharing @Rowansdabomb!

Greetz,
Josef