[JENKINS-73851] support SHA256 HMAC in verifying webooks

The Github plugin <a href="https://github.com/jenkinsci/github-plugin/blob/91d9641f7713143e84b00aedb4dcf2fb17c185cd/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145-L161" class="external-link" target="_blank" rel="nofollow noopener">currently validates</a> received webhooks using the <a href="https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#:~:text=The%20X%2DHub%2DSignature%20header%20uses%20the%20HMAC%2DSHA1%20algorithm%20and%20is%20only%20included%20for%20legacy%20purposes." class="external-link" target="_blank" rel="nofollow noopener">legacy</a> sha-1 HMAC.



The plugin should migrate to use the <tt>X-Hub-Signature-256</tt> header and the SHA256 HMAC.


See <a href="https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries" class="external-link" target="_blank" rel="nofollow noopener">https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries</a> for details.

---
<details><summary>Originally reported by <img align="left" width="20" src="https://raw.githubusercontent.com/jenkinsci/artifacts-from-jira-issues/refs/heads/main/avatars/teilo.png" title="teilo's avatar" /> <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=teilo">teilo</a>, imported from: <a class="original-jira-link" href="https://issues.jenkins.io/browse/JENKINS-73851" target="_blank">support SHA256 HMAC in verifying webooks</a></summary>
<ul>
<li>assignee: <img align="left" width="20" src="https://raw.githubusercontent.com/jenkinsci/artifacts-from-jira-issues/refs/heads/main/avatars/lanwen.png" title="lanwen's avatar" /> <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=lanwen">lanwen</a>
<li>status: Open
<li>priority: Minor
<li>component(s): github-plugin
<li>resolution: Unresolved
<li>votes: 0
<li>watchers: 1
<li>imported: 2025-12-08
</ul>
<details><summary>Raw content of original issue</summary>

<pre>
The Github plugin <a href="https://github.com/jenkinsci/github-plugin/blob/91d9641f7713143e84b00aedb4dcf2fb17c185cd/src/main/java/org/jenkinsci/plugins/github/webhook/RequirePostWithGHHookPayload.java#L145-L161" class="external-link" target="_blank" rel="nofollow noopener">currently validates</a> received webhooks using the <a href="https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#:~:text=The%20X%2DHub%2DSignature%20header%20uses%20the%20HMAC%2DSHA1%20algorithm%20and%20is%20only%20included%20for%20legacy%20purposes." class="external-link" target="_blank" rel="nofollow noopener">legacy</a> sha-1 HMAC.



The plugin should migrate to use the <tt>X-Hub-Signature-256</tt> header and the SHA256 HMAC.


See <a href="https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries" class="external-link" target="_blank" rel="nofollow noopener">https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries</a> for details.</pre>
</details>
</details>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[JENKINS-73851] support SHA256 HMAC in verifying webooks #764

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[JENKINS-73851] support SHA256 HMAC in verifying webooks #764

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions