"Local signature xxx does not match external signature yyy" in Jenkins log

[serv]

I have a problem where Jenkins does detect the PR changes, but it errors out saying that local signature does not match the external signature.

In the Jenkins log

Mar 07, 2016 9:59:00 AM INFO org.jenkinsci.plugins.ghprb.GhprbRootAction doIndex
Checking PR #1,076 for XYZ/ABC
Mar 07, 2016 9:59:00 AM SEVERE org.jenkinsci.plugins.ghprb.GhprbGitHubAuth checkSignature
Local signature bef41f51e9044c0140501b3c632a8af2ada55775 does not match external signature 577e46760f6d666bf690e6e515e28a095b0938c3

Any idea what affects the generation of local signature?

One thing to note is that other team members do not have this problem, while I do.

[DavidTanner]

Check the secret key in the Jenkins master config against the webhook in github.

[serv]

Thanks for the quick response. Are referring to these two values below?

On github

On jenkins

I believe these are the same already because other team members do not have a problem getting their PR triggered for their test. While my PRs fail due to the signature check.

I am looking at this method particularly. https://github.com/janinko/ghprb/blob/7fc283ac6561dfbb554ea2a804dfb71ed369c951/src/main/java/org/jenkinsci/plugins/ghprb/GhprbGitHubAuth.java#L124

Is there anything that you think is user specific or commit specific about this check?

[DavidTanner]

You have the right one for github, but the secret in Jenkins is part of the webhook instead. I will look it up tonight if you still can't find it

[BreaGaudioso]

I am also having this problem. I generated a new hash and these keys are the same, but the problem still persists.

[BreaGaudioso]

@DavidTanner @serv Was there any clarity on the issue here?

[serv]

@BreaGaudioso I couldn't resolve the issue. Only way I could get around this issue was to

1. Create a branch from master.
2. Manually change all the code again.
3. Make a PR.

[DavidTanner]

@BreaGaudioso Have you verified that the secret you have set up with GitHub matches the secret you are using in the main jenkins config?

[sragatsky]

I also got the same issue, for me it started after adding the Github Authentication plugin.

false alarm, in my case the " Shared secret" settings at Configure System wasn't matching the webhook secret

[BreaGaudioso]

@DavidTanner Yes, I have verified this. The strange thing is, Jenkins will occasionally run the PR normally. It is about 1/3 times that it does not work.

[parinmaru2]

I am seeing the same issue. Was this resolved by any chance?

[lgraham1]

This started happening on our Jenkins instance today with no changes to configuration/plugins/GitHub web hook config. PRs from other branches would build fine, but one branch kept getting this error.

In case anyone else has this problem, the only workaround I could find was to:

1. Checkout a new branch from the branch you want to merge e.g. git checkout my-feature && git checkout -b my-feature-2
2. Create a new PR for the new my-feature-2 branch
3. CI runs fine for the new PR

Edit: ignore the above. I’ve found the source of my problem at least, maybe it’ll help someone else.

Our GitHub hooks get sent to a ‘reverse proxy’ (actually a web app that forwards them to a non-internet facing server). The reverse proxy URL decodes the request body and URL encodes it again before forwarding the request. GitHub’s x-www-form-urlencoded request body doesn’t encode tildes (~), but when we re-encode the request the tildes become %7E. This meant the signature/hash generated from the request body by GitHub didn’t match the one generated by Jenkins. This meant any PRs with ~~strikethrough~~ failed the signature check.

Tl;dr: If your hooks don’t go directly to Jenkins, check you aren’t messing up the encoding of the body en route.