ERROR: The signature is invalid.

[Richard2012]

We are not certain what is really meant as 'signature_header_name' in the config file. This is the likely cause of the 'The signature is invalid' error. How and where do I find the signature_header_name?

[PaulUniHomes]

That would depend on the name of the header that is being sent across in the request to your endpoint.

If you look in the example, you'll see it is set as 'Signature':

$webhookConfig = new \Spatie\WebhookClient\WebhookConfig([
    'name' => 'webhook-sending-app-1',
    'signing_secret' => 'secret-for-webhook-sending-app-1',
    'signature_header_name' => 'Signature', // This is where it is set
    'signature_validator' => \Spatie\WebhookClient\SignatureValidator\DefaultSignatureValidator::class,
    'webhook_profile' => \Spatie\WebhookClient\WebhookProfile\ProcessEverythingWebhookProfile::class,
    'webhook_response' => \Spatie\WebhookClient\WebhookResponse\DefaultRespondsTo::class,
    'webhook_model' => \Spatie\WebhookClient\Models\WebhookCall::class,
    'process_webhook_job' => '',
]);

If you look at DefaultSignatureValidator, it pulls the signature from the request headers based on the value you set there:

$signature = $request->header($config->signatureHeaderName);

So in this instance, it will look for $signature = $request->header('Signature'); (If you have a look at the WebhookConfig class, you can see how the properties being passed into it as an array are converted).

If you check the headers on the inbound request, you should see if that is what the key for the signature being sent is, and if not, then change the signature_header_name value to whatever the key is in the header.

[Richard2012]

The problem is in
$this->ensureValidSignature();in WebhookProcessor.php

[PaulUniHomes]

Hi Richard

The SECRET from the .env never comes in the header in my case (Paypal).

No that's not how the signature works, it's not sending you the signature in a raw format as that would be insecure. I haven't worked with the PayPal webhook, but let me try and explain what I think it might do to help you progress things.

Here's a really basic example:

$signature = $request->header($config->signatureHeaderName);

$signingSecret = $config->signingSecret;

$computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);

return hash_equals($signature, $computedSignature);

So on your configuration for the webhook, you'll have something like:
'signing_secret' => env('WEBHOOK_CLIENT_SECRET'),
'signature_header_name' => 'paypal-transmission-sig',

So if we raw out the original basic example:
$signature = 'BUrgLte0te2571OEq3oapo7ro42+o9RyRGgI82S8rNIhYDumcIFWwhS5BUmFH0Xon6x7p5rxgn1X678R0DURUICO+crLcn3xjB3L0wa2milKOzWqL+xH4rdsMbLQy6vdqbX9Fb2S1uz8zkwLxJQLAZr+G0hBq7AH4AxoGhusabC2RG3dUGs4MLpmIAhTNwrlmFFRGuxzIGS3GaTKYzdzNYHHgO2HhgTfX20VjKL0p1Ldp8yEHHxyYYV8MnpmUHZW63WTUAN62d0ociwiF/kkrvq/3J9VEV+t+j0l4osN0kA0vU66Spezpzl/0W+Hy9vn9QVUujhkFJKauCFIqDU4YQ==';

$signingSecret = 'ENV10VjX3YfNUIWZLeiRMDhXU_PucAVzmTYpC9UHbrr92M9JY_mfKRNmherFPyCwnZ4KKuUTscHzuDMh';

$computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);

return hash_equals($signature, $computedSignature);

What you're doing basically is saying ok, if I take my webhook client secret value, and I use that to hash the content that has been sent over by PayPal, does the resulting value match the signature that PayPal sent as the paypal-transmission-sig header value.

Does that make more sense?

[Richard2012]

It makes perfect sencs, thank you for the reply in rocket time, will be back tomorrow.
Should the real values I have posted return true at verification time?

[PaulUniHomes]

Yes, but that depends and changes based on the content that comes over.

[Richard2012]

I have now removed the quotation marks from WEBHOOK_CLIENT_SECRET and it works. It was that stupid.