I can't seem to verify shipwire's signature. I've checked around and most examples from forums etc just seem to work but it's not with shipwire, I'm wondering if there's anyone who has experience with dealing with shipwire. Basically code states
X-Shipwire-Signature: abc123;secret-id=2
The hash value is the HMAC-SHA256 of the unaltered POST request body
so a simple check on my code I did first registered a secret via their api and got the results, stored it in rails credentials
"resource":{"id":796,"secret":"cbfbf1dc131cd590ed04f5d2c80651f...",
so in my controller I did the following
webhook_secret = Rails.application.credentials.shipwire[:webhook_secret]
data = request.raw_post
result = OpenSSL::HMAC.hexdigest("sha256", webhook_secret, data)
but the result doesn't match with the signature they are returning, not by a long shot.
Okay so I finally got to solve it, for those working on shipwire since there's not much docs for this I'll post.
Basically you need to convert your registered secret to binary and use that as the key for the hash to match, I haven't had the time to write the code properly but I was able to verify via a quick dirty code
shipwire_sig = request.headers["HTTP_X_SHIPWIRE_SIGNATURE"]
key = webhook_secret.scan(/../).map { |x| x.hex.chr }.join
signature = OpenSSL::HMAC.hexdigest("sha256", key, data)
shipwire_sig == signature