From 493e94de50ecdd10025b526e3d1305ed7821a487 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A5=B6=E7=88=B8?= <1@5.nu>
Date: Mon, 19 Mar 2018 16:16:01 +0800
Subject: [PATCH] [fix] Gogs signature calc

---
 gogs/gogs.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gogs/gogs.go b/gogs/gogs.go
index 9475271..da04d59 100644
--- a/gogs/gogs.go
+++ b/gogs/gogs.go
@@ -14,8 +14,7 @@ import (
 	"github.com/naiba/webhooks"
 	client "github.com/gogits/go-gogs-client"
 	"crypto/hmac"
-	"crypto/sha1"
-	"encoding/hex"
+	"crypto/sha256"
 )
 
 // Webhook instance contains all methods needed to process events
@@ -107,12 +106,12 @@ func (hook Webhook) ParsePayload(w http.ResponseWriter, r *http.Request) {
 		}
 		webhooks.DefaultLog.Debug(fmt.Sprintf("X-Gogs-Signature:%s", signature))
 
-		mac := hmac.New(sha1.New, []byte(hook.secret))
+		mac := hmac.New(sha256.New, []byte(hook.secret))
 		mac.Write(payload)
 
-		expectedMAC := hex.EncodeToString(mac.Sum(nil))
+		expectedMAC := mac.Sum(nil)
 
-		if !hmac.Equal([]byte(signature[5:]), []byte(expectedMAC)) {
+		if !hmac.Equal([]byte(signature), expectedMAC) {
 			webhooks.DefaultLog.Error("HMAC verification failed")
 			http.Error(w, "403 Forbidden - HMAC verification failed", http.StatusForbidden)
 			return