Possible security hole if no secret is provided

[gabrielg]

Someone can probably just give the md5 hash of the rest of the POST request as a signature, and have it be valid. Need to test/fix.