From 7f7ebc84d7877ebeb3e451ff0ef9e4074bc1c1fc Mon Sep 17 00:00:00 2001
From: Spencer <toamidan@gmail.com>
Date: Sat, 14 Mar 2026 22:41:02 -0500
Subject: [PATCH] Fix webhook signature verification for Gitea

Gitea sends X-Gitea-Signature as a raw hex digest with no scheme
prefix, unlike GitHub's sha256=<digest> format. Removed the prefix
parsing that was causing every request to fail validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app.py | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/app.py b/app.py
index c215480..a885d0a 100644
--- a/app.py
+++ b/app.py
@@ -20,19 +20,16 @@ app = Flask(__name__)
 
 
 def _verify_signature(payload: bytes, signature_header: str | None) -> bool:
-    """Validate the Gitea webhook HMAC-SHA256 signature."""
+    """Validate the Gitea webhook HMAC-SHA256 signature.
+
+    Gitea sends X-Gitea-Signature as a raw hex digest (no scheme prefix).
+    """
     if not signature_header:
         return False
-    try:
-        scheme, provided_digest = signature_header.split("=", 1)
-    except ValueError:
-        return False
-    if scheme != "sha256":
-        return False
     expected = hmac.new(
         config.WEBHOOK_SECRET.encode(), payload, hashlib.sha256
     ).hexdigest()
-    return hmac.compare_digest(expected, provided_digest)
+    return hmac.compare_digest(expected, signature_header.strip())
 
 
 def _handle_push(owner: str, repo: str, changed_files: list[str]) -> None: