Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"Signature does not match event payload and secret" error

See original GitHub issue

Bug Report

Current Behavior I don’t think this is a bug within Probot necessarily (maybe the GitHub API itself), but I began getting numerous “Signature does not match event payload and secret” errors, always when my GitHub app received a payload sent from another bot (e.g. renovate as shown in the payload below).

Example payload (let me know if you need the full thing)
{
  "action": "edited",
  "number": 12,
  "pull_request": {
    "url": "https://api.github.com/repos/yanrs17/chat-app/pulls/12",
    "id": 235266303,
    "node_id": "MDExOlB1bGxSZXF1ZXN0MjM1MjY2MzAz",
    "html_url": "https://github.com/yanrs17/chat-app/pull/12",
    "diff_url": "https://github.com/yanrs17/chat-app/pull/12.diff",
    "patch_url": "https://github.com/yanrs17/chat-app/pull/12.patch",
    "issue_url": "https://api.github.com/repos/yanrs17/chat-app/issues/12",
    "number": 12,
    "state": "open",
    "locked": false,
    "title": "Update Node.js to v6.17.1",
    "user": {
      "login": "renovate[bot]",
      "id": 29139614,
      "node_id": "MDM6Qm90MjkxMzk2MTQ=",
      "avatar_url": "https://avatars1.githubusercontent.com/in/2740?v=4",
      "gravatar_id": "",
      "url": "https://api.github.com/users/renovate%5Bbot%5D",
      "html_url": "https://github.com/apps/renovate",
      "followers_url": "https://api.github.com/users/renovate%5Bbot%5D/followers",
      "following_url": "https://api.github.com/users/renovate%5Bbot%5D/following{/other_user}",
      "gists_url": "https://api.github.com/users/renovate%5Bbot%5D/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/renovate%5Bbot%5D/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/renovate%5Bbot%5D/subscriptions",
      "organizations_url": "https://api.github.com/users/renovate%5Bbot%5D/orgs",
      "repos_url": "https://api.github.com/users/renovate%5Bbot%5D/repos",
      "events_url": "https://api.github.com/users/renovate%5Bbot%5D/events{/privacy}",
      "received_events_url": "https://api.github.com/users/renovate%5Bbot%5D/received_events",
      "type": "Bot",
      "site_admin": false
    }
    ...
}

I chatted with @gr2m about this on Twitter awhile back, but we never got to any conclusions, so I thought I would open this issue for tracking.

Expected behavior/code No errors from other GitHub bots

Environment

  • Probot version(s): 9.6.6
  • Node/npm version: [e.g. Node 8/npm 5] Node 10
  • OS: [e.g. OSX 10.13.4, Windows 10] Heroku Deployment

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
bdurranicommented, Feb 25, 2020

I’m running into the same issue. I used the starting project tool npx create-probot-app my-first-app. It looks like the tool sets up the private key and webhook secret already.

The reproduction steps for this is just to run the tool that sets up the project, make the app active so we can start receiving hooks. To make the webhooks active, github requires to put in a valid value for the User authorization callback URL. I just put it to github.com` for now.

I’m not sure what I’m supposed to put in there. I’m not sure what I’m supposed to do next. I know I’m probably missing a step. Thanks for your help

0reactions
gr2mcommented, Sep 1, 2020

Please test again with Probot v10. It did occur to me again in the WIP app using Probot v10 , but less frequently, and I want to make sure it’s not something specific to the WIP app.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Check the webhook signatures | Stripe Documentation
You perform the verification by providing the event payload, the Stripe-Signature header, and the endpoint's secret. If verification fails, Stripe returns an  ......
Read more >
Troubleshoot SigV4 signature mismatch errors with IAM ...
How can I troubleshoot signature mismatch errors when making SigV4 signed requests ... Check your AWS Secret Access Key and signing method.
Read more >
Verifying requests from Slack
Slack signs its requests using a secret that's unique to your app. With the help of signing secrets, your app can more confidently...
Read more >
Manage webhooks | Bitbucket Data Center and Server 8.6
If the results do not match, it may indicate there was a problem with transmission that has caused the message payload to change....
Read more >
Gateway Error Codes | Mastercard Developers Platform
The most common cause of this issue is that the signing (private) key used by the client does not correspond to the public...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ERROR probot for installation events

Next page

Following Instructions in Documentation Results in Security Vulnerabilities 😞