Fix webhook signature verification for Gitea

Gitea sends X-Gitea-Signature as a raw hex digest with no scheme prefix, unlike GitHub's sha256=<digest> format. Removed the prefix parsing that was causing every request to fail validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 22:41:02 -05:00
parent a2adda20a8
commit 7f7ebc84d7
1 changed files with 5 additions and 8 deletions
--- a/app.py
+++ b/app.py
@@ -20,19 +20,16 @@ app = Flask(__name__)


 def _verify_signature(payload: bytes, signature_header: str | None) -> bool:
-    """Validate the Gitea webhook HMAC-SHA256 signature."""
+    """Validate the Gitea webhook HMAC-SHA256 signature.
+
+    Gitea sends X-Gitea-Signature as a raw hex digest (no scheme prefix).
+    """
    if not signature_header:
        return False
-    try:
-        scheme, provided_digest = signature_header.split("=", 1)
-    except ValueError:
-        return False
-    if scheme != "sha256":
-        return False
    expected = hmac.new(
        config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256
    ).hexdigest()
-    return hmac.compare_digest(expected, provided_digest)
+    return hmac.compare_digest(expected, signature_header.strip())


 def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: