From 6cacc6501381a33a8b4015ce61b50c254c59278b Mon Sep 17 00:00:00 2001
From: Alvie Rahman <alvierahman90@gmail.com>
Date: Wed, 4 Aug 2021 21:43:37 +0100
Subject: [PATCH] Add config option SignaturePrefix

---
 config.json      | 3 ++-
 config/config.go | 1 +
 main.go          | 2 +-
 readme.md        | 6 +++++-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/config.json b/config.json
index 15865c4..741db59 100644
--- a/config.json
+++ b/config.json
@@ -7,7 +7,8 @@
           "AppendPayload": true
       },
       "Secret": "THISISVERYSECRET",
-      "SignatureHeader": "X-Gitea-Signature",
+      "SignatureHeader": "X-Hub-Signature",
+      "SignaturePrefix": "sha256=",
       "Tests": [
         {
           "Program": "echo",
diff --git a/config/config.go b/config/config.go
index 45673d9..e446797 100644
--- a/config/config.go
+++ b/config/config.go
@@ -10,6 +10,7 @@ type Config struct {
 	Services      map[string]struct {
 		Script          Command
 		Secret          string
+		SignaturePrefix string
 		SignatureHeader string
 		Tests           []Command
 	}
diff --git a/main.go b/main.go
index f859c12..f8d6f8e 100644
--- a/main.go
+++ b/main.go
@@ -63,7 +63,7 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) {
 
 	// Verify that signature provided matches signature calculated using secretsss
 	signature := r.Header.Get(service.SignatureHeader)
-	calculatedSignature := getSha256HMACSignature([]byte(service.Secret), payload)
+	calculatedSignature := fmt.Sprintf("%v%v", service.SignaturePrefix, getSha256HMACSignature([]byte(service.Secret), payload))
 	fmt.Printf("signature = %v\n", signature)
 	fmt.Printf("calcuatedSignature = %v\n", signature)
 	if signature != calculatedSignature && checkSignature {
diff --git a/readme.md b/readme.md
index ceb3b9a..cd25d40 100644
--- a/readme.md
+++ b/readme.md
@@ -22,6 +22,9 @@ You **must** set which HTTP header gohookr will receive a signature from using t
 key for each service.
 You should also specify a shared secret in the `Secret` key.
 
+You may also need to specify a `SignaturePrefix`.
+For GitHub it would be `sha256=`.
+
 ### Disable Signature Verification
 
 You can disable signature verification altogether by setting environment variable
@@ -61,7 +64,8 @@ An example config file can be found [here](./config.json) but also below:
           "AppendPayload": true
       },
       "Secret": "THISISVERYSECRET",
-      "SignatureHeader": "X-Gitea-Signature",
+      "SignatureHeader": "X-Hub-Signature",
+      "SignaturePrefix": "sha256=",
       "Tests": [
         {
           "Program": "echo",