hi
@gentle-morning-2222 do you mind sharing the following info:
• code sample of your implementation
• which web framework you're using and the version
• the error you're receiving (and which line in the code sample provided it happens at)
it'll allow me to narrow down where you may be experiencing the issue.
you may find this example implementation in javascript useful. the cryptography would be a similar approach but in java:
https://github.com/growthbook/examples/blob/main/webhooks-impl/middleware/authenticateWebHooks.js
one of the places where webhook signature verification could go wrong is if you have some kind of middleware layer when getting the request body and it transforms the request body (so it isn't verbatim as was sent). you need the raw request body without it having been processed by any middleware to use for the comparison otherwise the signature verification would fail, even if the crypto stuff is implemented correctly. in express, for example, we need to use the raw body middleware to get access to the body before it is transformed by other middleware. how this is done in java depends on the web framework you're using.
also, before doing a signature verification with a time-safe equal compare function, you will need to ensure both strings are the same length as time-safe compare will not allow you to compare strings of different sizes in most libraries.
we don't yet have an example implementation in java but this should hopefully help.