Add debug logging to signature verification

Temporarily logs received vs expected signatures to diagnose webhook secret mismatches. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 22:47:09 -05:00
parent 7f7ebc84d7
commit 3ee1d55584
1 changed files with 8 additions and 2 deletions
--- a/app.py
+++ b/app.py
@@ -11,7 +11,7 @@ import gitea_client
 import processor

 logging.basicConfig(
-    level=logging.INFO,
+    level=logging.DEBUG,
    format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
 )
 logger = logging.getLogger(__name__)
@@ -25,11 +25,17 @@ def _verify_signature(payload: bytes, signature_header: str | None) -> bool:
    Gitea sends X-Gitea-Signature as a raw hex digest (no scheme prefix).
    """
    if not signature_header:
+        logger.warning("Signature verification failed: no signature header received")
        return False
    expected = hmac.new(
        config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256
    ).hexdigest()
-    return hmac.compare_digest(expected, signature_header.strip())
+    logger.debug("Received signature: %s", signature_header.strip())
+    logger.debug("Expected signature: %s", expected)
+    match = hmac.compare_digest(expected, signature_header.strip())
+    if not match:
+        logger.warning("Signature mismatch — check WEBHOOK_SECRET matches the secret set in Gitea")
+    return match


 def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: