Package org.jenkinsci.plugins.github.webhook

Class GHWebhookSignature

java.lang.Object
org.jenkinsci.plugins.github.webhook.GHWebhookSignature
public class GHWebhookSignature extends Object
Utility class for dealing with signatures of incoming requests.
Since:
1.21.0
See Also:

  • Field Details

  • Method Details

    • webhookSignature

      public static GHWebhookSignature webhookSignature(String payload, Secret secret)
      Parameters:
      payload - Clear-text to create signature of.
      secret - Key to sign with.

    • sha1

      @Deprecated public String sha1()
      Deprecated.
      Use sha256() for enhanced security
      Computes a RFC 2104-compliant HMAC digest using SHA1 of a payloadFrom with a given key (secret).
      Returns:
      HMAC digest of payloadFrom using secret as key. Will return COMPUTED_INVALID_SIGNATURE on any exception during computation.

    • sha256

      public String sha256()
      Computes a RFC 2104-compliant HMAC digest using SHA256 of a payload with a given key (secret). This is the recommended method for webhook signature validation.
      Returns:
      HMAC digest of payload using secret as key. Will return COMPUTED_INVALID_SIGNATURE on any exception during computation.
      Since:
      1.45.0

    • matches

      @Deprecated public boolean matches(String digest)
      Deprecated.
      Use matches(String, SignatureAlgorithm) for explicit algorithm selection
      Parameters:
      digest - computed signature from external place (GitHub)
      Returns:
      true if computed and provided signatures identical

    • matches

      public boolean matches(String digest, SignatureAlgorithm algorithm)
      Validates a signature using the specified algorithm. Uses constant-time comparison to prevent timing attacks.
      Parameters:
      digest - the signature to validate (without algorithm prefix)
      algorithm - the signature algorithm to use
      Returns:
      true if computed and provided signatures match
      Since:
      1.45.0