From 3ee1d55584dd7faa45588c614aa89a167d1c8d1b Mon Sep 17 00:00:00 2001
From: Spencer <toamidan@gmail.com>
Date: Sat, 14 Mar 2026 22:47:09 -0500
Subject: [PATCH] Add debug logging to signature verification

Temporarily logs received vs expected signatures to diagnose
webhook secret mismatches.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index a885d0a..c2bd5b1 100644
--- a/app.py
+++ b/app.py
@@ -11,7 +11,7 @@ import gitea_client
 import processor
 
 logging.basicConfig(
-    level=logging.INFO,
+    level=logging.DEBUG,
     format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
 )
 logger = logging.getLogger(__name__)
@@ -25,11 +25,17 @@ def _verify_signature(payload: bytes, signature_header: str | None) -> bool:
     Gitea sends X-Gitea-Signature as a raw hex digest (no scheme prefix).
     """
     if not signature_header:
+        logger.warning("Signature verification failed: no signature header received")
         return False
     expected = hmac.new(
         config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256
     ).hexdigest()
-    return hmac.compare_digest(expected, signature_header.strip())
+    logger.debug("Received signature: %s", signature_header.strip())
+    logger.debug("Expected signature: %s", expected)
+    match = hmac.compare_digest(expected, signature_header.strip())
+    if not match:
+        logger.warning("Signature mismatch — check WEBHOOK_SECRET matches the secret set in Gitea")
+    return match
 
 
 def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: