Verifying X-Hook-Signature on Asana Webhook

So, I’m really confused about this optional but highly recommended step for receiving the Events in a registered Webhook target.

As far as I understand the X-Hook-Signature header is the precomputed hash of the data using the shared secret that was exchanged through the initial handshake to create the webhook. If this is correct, from what I understand all I need to do to verify the data is real and that it came from Asana is to use the secret key to compute a hash on the posted data using the HMACSHA256 algorithm and compare it to the X-Hook-Signature value.

However, the X-Hook-Signature header contains a 64 bytes hash, but ALL computed HMACSHA256 are 256 bits, or 32 bytes, so what is going on here? The length of the hashes is a complete mistmatch, so the comparison would always fail. Am I missing something here? Any help would be appreciated.

Hey Daniel,

I’m having this exact question. Were you able to figure out what was happening?

Hey Oscar, I was never able to figure this out and no one replied here in the forums. Let me know if you find a solution!

Slightly old post, but just wanted to chime in.

SHA256 is 64 characters long. SHA256 is always 256 bits long, equivalent to 32 bytes, or 64 bytes in an hexadecimal string format.

I use php function:

hash_hmac(‘sha256’, $requestBody, $secret)

Which returns 64 characters, which is how long the Asana signature is.