3 years ago, I created a simple subscriber to the youtube pubsubhubbub api, to get notifications, when a new video gets uploaded. This stopped working a few months ago, it worked until then. When I debugged what was happening, I saw that the hmac signature seems to missmatch, causing my server to not process the request.
var checksumHeader = context.Request.Headers["X-Hub-Signature"]; var signature = checksumHeader.ToString().Split('=')[1]; var stream = context.Request.Body; string body; using (var reader = new StreamReader(stream, Encoding.UTF8)) { body = await reader.ReadToEndAsync(); } var isValid = PubSubSecret.Check(body, signature);this is my code that processes youtube's Post request. This used to work, but now, isValid always returnes false.
The Code of my Check Method:
public static bool Check(string body, string signature) { using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Secret))) { var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body)); var hash = Convert.ToHexString(hashBytes).ToLowerInvariant(); Console.WriteLine("Sig: " + signature); Console.WriteLine("Computed Hash " + hash); return signature.Equals(hash); } }If I use the diagnostic tool at https://pubsubhubbub.appspot.com/subscribe?hl=de, I can see, that youtube gets the correct secret, so this is not the problem. Also, this exact code worked, so I wonder what might have changed for this to stop working.
I hope someone can lead me in the right direction about what to check next.
If I copy the string body and secret to one of the many online hmacsha1 tools, I get the same hash as my code computes, but not what youtube sends in the header.