sha1 hash generating different results

[maikelmclauflin]

somehow I am getting this error

Error: X-Hub-Signature does not match blob signature

I have switched my refreshSecret multiple times. cannot seem to get it to do anything correctly. below is my server

var express = require('express');
var Nuts = require('nuts-serve').Nuts;
var app = express();
var bodyParser = require('body-parser');
app.use(bodyParser.urlencoded({
    extended: false
}));
app.use(bodyParser.json());
var nuts = Nuts({
    // GitHub configuration
    repository: "company/app",
    username: 'username',
    token: require('./access-token'),
    refreshSecret: 'somethingelse'
    // must be secret?
});
nuts.before('download', function (download, next) {
    console.log('user is downloading', download.platform.filename, "for version", download.version.tag, "on channel", download.version.channel, "for", download.platform.type);
    next();
});
nuts.after('download', function (download, next) {
    console.log('user downloaded', download.platform.filename, "for version", download.version.tag, "on channel", download.version.channel, "for", download.platform.type);
    next();
});
app.use('/', nuts.router);
app.listen(process.env.PORT);

[AaronO]

@mmclau14 You're getting this error because your refreshSecret doesn't match the secret you have configured in your repo's webhook settings. They need to be the same otherwise, you'll get different SHA1 signatures.

Those signatures are to ensure that it is indeed GitHub sending that webhook (using the secret you gave them to sign the payload) and not some malicious 3rd party sending a POST request to your webhook pretending to be GitHub.