Setup Issue: POST /webhook/github returns a 401 because of an invalid signature

[onthespotqa]

I setup an instance of the github webhook under my account for prototyping. The webhook itself was installed on heroku using the 1-click deploy.

I've confirmed that the github_webook_secret is the same in both my install app and the heroku instance. And then tried installing it on a single repo, and the webhook request still returns a 401.

Is there something i'm missing? The only other thing i can think of was i didn't encode the pem correctly when i uploaded it to heroku.

Below are the Headers/Payload

Request method: POST
Accept: */*
content-type: application/json
User-Agent: GitHub-Hookshot/5465ee1
X-GitHub-Delivery: 344bc180-ac3b-11eb-81a6-2dfcd8586dd9
X-GitHub-Event: installation
X-GitHub-Hook-ID: 294967260
X-GitHub-Hook-Installation-Target-ID: 113318
X-GitHub-Hook-Installation-Target-Type: integration
X-Hub-Signature: sha1=dd0d165564d03614d509cb7145bf5e3a619cc6e1
X-Hub-Signature-256: sha256=8dc3aed82bf7d227bf52680ba7d71c703a1cac294e2bb6363b4499059112c0e2

  {
    "action": "created",
    "installation": {
      "id": 16698754,
      "account": {
        "login": "onthespotqa",
        "id": 674138,
        "node_id": "MDQ6VXNlcjY3NDEzOA==",
        "avatar_url": "https://avatars.githubusercontent.com/u/674138?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/onthespotqa",
        "html_url": "https://github.com/onthespotqa",
        "followers_url": "https://api.github.com/users/onthespotqa/followers",
        "following_url": "https://api.github.com/users/onthespotqa/following{/other_user}",
        "gists_url": "https://api.github.com/users/onthespotqa/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/onthespotqa/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/onthespotqa/subscriptions",
        "organizations_url": "https://api.github.com/users/onthespotqa/orgs",
        "repos_url": "https://api.github.com/users/onthespotqa/repos",
        "events_url": "https://api.github.com/users/onthespotqa/events{/privacy}",
        "received_events_url": "https://api.github.com/users/onthespotqa/received_events",
        "type": "User",
        "site_admin": false
      },
      "repository_selection": "selected",
      "access_tokens_url": "https://api.github.com/app/installations/16698754/access_tokens",
      "repositories_url": "https://api.github.com/installation/repositories",
      "html_url": "https://github.com/settings/installations/16698754",
      "app_id": 113318,
      "app_slug": "onthestpot-bors-ng",
      "target_id": 674138,
      "target_type": "User",
      "permissions": {
        "checks": "write",
        "issues": "write",
        "contents": "write",
        "metadata": "read",
        "statuses": "write",
        "pull_requests": "write"
      },
      "events": [

      ],
      "created_at": "2021-05-03T12:13:04.000-06:00",
      "updated_at": "2021-05-03T12:13:04.000-06:00",
      "single_file_name": null,
      "has_multiple_single_files": false,
      "single_file_paths": [

      ],
      "suspended_by": null,
      "suspended_at": null
    },
    "repositories": [
      {
        "id": 363231700,
        "node_id": "MDEwOlJlcG9zaXRvcnkzNjMyMzE3MDA=",
        "name": "cypress-realworld-app",
        "full_name": "onthespotqa/cypress-realworld-app",
        "private": false
      }
    ],
    "requester": null,
    "sender": {
      "login": "onthespotqa",
      "id": 674138,
      "node_id": "MDQ6VXNlcjY3NDEzOA==",
      "avatar_url": "https://avatars.githubusercontent.com/u/674138?v=4",
      "gravatar_id": "",
      "url": "https://api.github.com/users/onthespotqa",
      "html_url": "https://github.com/onthespotqa",
      "followers_url": "https://api.github.com/users/onthespotqa/followers",
      "following_url": "https://api.github.com/users/onthespotqa/following{/other_user}",
      "gists_url": "https://api.github.com/users/onthespotqa/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/onthespotqa/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/onthespotqa/subscriptions",
      "organizations_url": "https://api.github.com/users/onthespotqa/orgs",
      "repos_url": "https://api.github.com/users/onthespotqa/repos",
      "events_url": "https://api.github.com/users/onthespotqa/events{/privacy}",
      "received_events_url": "https://api.github.com/users/onthespotqa/received_events",
      "type": "User",
      "site_admin": false
    }
  }

[mattsre]

Hey @onthespotqa, trying to make sure I understand what's going on here. Are you self-hosting Bors on Heroku using the 1-click deploy option? Are there any logs from Bors that you can provide here that might have some more context? I ran into a similar problem here: #1212 where Github returned a 401 upon user login. The problem turned out to be a random newline at the end of a secret. I'd verify your secrets don't contain any newlines or special characters that could potentially be causing issues.

[onthespotqa]

@RetWolf there does not appear to be any newlines in my secrets. the only thing maybe was i uploaded the pem key incorrectly openssl base64 -A -e < private-key.pem i copied everything up to the % a the end.

The logs do not give anything useful just

May 06 08:55:07 onthespot-bors-ng heroku/router at=info method=POST path="/webhook/github" host=onthespot-bors-ng.herokuapp.com request_id=8a8b8d60-ca45-47e9-8f03-20665123ca26 fwd="140.82.115.145" dyno=web.1 connect=1ms service=3ms status=401 bytes=328 protocol=https
May 06 08:55:07 onthespot-bors-ng app/web.1 15:55:07.079 request_id=8a8b8d60-ca45-47e9-8f03-20665123ca26 pid=<0.554.0> [info] POST /webhook/github
May 06 08:55:07 onthespot-bors-ng app/web.1 15:55:07.080 request_id=8a8b8d60-ca45-47e9-8f03-20665123ca26 pid=<0.554.0> [info] Sent 401 in 1ms

[onthespotqa]

@RetWolf I also self hosted on Heroku and used the 1 click deploy.

[Djiit]

Also facing the same thing, with a fresh Heroku install. Anything you did to fix this?

[onthespotqa]

Also facing the same thing, with a fresh Heroku install. Anything you did to fix this?

@Djiit never got it to work.

[Djiit]

Folks, I just had to re deploy my heroku instance with a correct secret. I'll advise to try to redeploy when all your env vars are OK

[RDharsan]

Can you please let me know the reason for 401??? My credentials are correct. I am using HMAC, SHA-256, and Base64 for Encoding, secret and X-Hub-Signature-256 in my server side

But I receive 401 response. I used github webhook. Push event trigger