Hi, I am using the build webhooks for deployment purposes and I am trying to validate the provided hmac sha256 signature that is given in the header: X-UnityCloudBuild-Signature. I wasn’t able to validate the signature. I’ll explain shortly what I did on the server that receives the hook. Very simply I used the body of the request (which is provided in json format in my case) and calculated the hmac using the same key I provided in the webhook configuration process. That did not result in the same hash provided in the X-UnityCloudBuild-Signature.
Is that the required process to validate the request? I would love some clarification on what exactly I should do. For example maybe the payload includes something in addition to the request body, or maybe it is encoded differently.
I also noticed that a different signature is provided in the Authorization header (something like UNITY-HMAC-SHA256 Timestamp=1722773376; Signature=Os2NYzOi2mg/dzSXzGU3Vq5FA/nStg0M0HDbqyC02XY=) in base64 format. I decoded it to hexadecimal fomat and it was different than the provided signature in the X-UnityCloudBuild-Signature header. The documentation suggests that the signature in X-UnityCloudBuild-Signature should be used so I suppose the part in the authorization header is irrelevant?
I’ll provide a code snippet to show how I have calculated the hmac on my end:
const payload = JSON.stringify(req.body);
const hash: string = createHmac("sha256", config.SECRET)
.update(payload)
.digest("hex");
The server I run is a simple express server running on node.
Thank you.