Token validation fails on certain events

I have a webhook setup to send all events for all Entity types and all fields available in the schema, to check if all events can be treated.
Our endpoint validates the token by using the recommended approach:

    def validate_sg_secret_token(self, request):
        """
        Validate that the SgHook's secret token is valid,
        i.e. corresponds to the one set in Shotgun for the Hook.

        .. seealso:: https://developer.shotgunsoftware.com/3d448f5e/#signature-verification

        :param request: A :class:`HttpRequest` instance.
        :returns: A bool, ``True`` if the secret token is valid, ``False`` otherwise.
        """
        body = request.body
        secret_token = self.secret_token.encode()
        generated_signature = "sha1=%s" % hmac.new(secret_token, body, hashlib.sha1).hexdigest()
        signature = request.META.get("HTTP_X_SG_SIGNATURE")
        if signature == generated_signature:
            return True
        return False

It works fine for a majority of events, but for some of them, the validation fails:
uploaded_config changed on PipelineConfiguration 72 by user 148
sg_uploaded_movie_mp4 changed on Version 22670 by user 130
sg_uploaded_movie_webm changed on Version 22669 by user 130

For one of these, for example sg_uploaded_movie_mp4, these are the headers:

{
  "accept": "application/json",
  "user-agent": "SG event-pipeline",
  "content-type": "application/json; charset=utf-8",
  "x-sg-signature": "sha1=adfafdafjkadl;fjkadlfdjak;fda" (EDITED IT TO NOT HAVE THE REAL SIGNATURE HERE),
  "x-sg-webhook-id": "b3abfff7-2009-486d-a158-6a221e12ccce",
  "x-sg-delivery-id": "fc846b97-f62c-479a-ae7e-c835da1271bb",
  "x-sg-event-batch-id": "49598278149308584818866679699646100057626115312772448658",
  "x-sg-event-batch-size": "10",
  "x-sg-webhook-site-url": "https://gpltechdemos.shotgunstudio.com/",
  "x-sg-event-batch-index": "6"
}

This is the payload:

{
  "data": {
    "id": "199845.22417.0",
    "meta": {
      "type": "attribute_change",
      "entity_id": 22670,
      "new_value": {
        "url": "https://sg-media-usor-01.s3-accelerate.amazonaws.com/8e1a9f6b4c4e3aa0ecc356f91937c9d2662fa221/f023b43a84c2f78c6d64ed339d93ea95abdec8f9/ARR0200_comp_VKS_v0048.mp4?response-content-disposition=filename%3D%22ARR0200_comp_VKS_v0048.mp4%22&x-amz-meta-user-id=130&x-amz-meta-user-type=HumanUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAYJG6Z4JI3Y2THCLP%2F20210512%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210512T210859Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Security-Token=FwoGZXIvYXdzEE4aDCO%2FYVGepp5UoMDPPCKvAXB02uUiFLdQBEm25Jh5YmLA2ENNw7ossBpFeb1VIfl8PHO%2Ff5DwNDoALfIKbu2fygiAUHsX55RS8RjDL8FLVLBti1oDj9XIlgggIDu9dNM5%2Bmr9p6EHIVVwAEwVX8crIfMGHx36VoxqdPSz50UxVw1VjVaJVZQMif7cqLDBgAnFZlBuHRRx0YhkvwX0HHddELHp2Hd5JVioCahdpwCwTmKOnrf4qNhVKdKfxZVX5YQohPLwhAYyLfVo2MxfPIG1iwnmvvuyvQk5C3shue0B0%2BqI5ZQLN6BJK4ZfIrLS3et9qwnmlA%3D%3D&X-Amz-Signature=542ab0e33c93d3f57d4538792de37dbf5de3250a0b5b89f88437f168cbbddb9c",
        "icon_url": "/images/filetypes/filetype_icon_misc.png",
        "icon_class": "filetype_icon_misc",
        "display_name": "ARR0200_comp_VKS_v0048.mp4",
        "attachment_id": 39502,
        "original_fname": "ARR0200_comp_VKS_v0048.mp4",
        "attachment_type": "s3_uploaded_file",
        "fullsize_thumbnail_url": null
      },
      "old_value": null,
      "entity_type": "Version",
      "attribute_name": "sg_uploaded_movie_mp4",
      "field_data_type": "url"
    },
    "user": {
      "id": 130,
      "type": "HumanUser"
    },
    "entity": {
      "id": 22670,
      "type": "Version"
    },
    "project": {
      "id": 135,
      "type": "Project"
    },
    "operation": "update",
    "created_at": "2021-05-12 21:08:59.858456",
    "event_type": "Shotgun_Version_Change",
    "delivery_id": "fc846b97-f62c-479a-ae7e-c835da1271bb",
    "session_uuid": null,
    "attribute_name": "sg_uploaded_movie_mp4",
    "event_log_entry_id": 2186388
  },
  "timestamp": "2021-05-12T21:11:27Z"
}

And this is the response body:

Invalid secret token for stress_test_hook at gpltechdemos(https://gpltechdemos.shotgunstudio.com)

Since we don’t have a lot of activity on this test server, I cannot know if there are other Entity types/fields that fail for secret token validation.

Is there something wrong with the code, or why do you think this is not working for certain events?

Hi Kevin,
Sorry to see you are having problems with signatures. This is the first time I see this being reported.

Your code looks fine. Weird thing is that it sometimes work and sometimes it doesn’t. Normally, with signatures, getting things to line up is the hard part but once you have it, it works in all cases…

Maybe one thing to verify is that you do get a signature value in the X_SG_SIGNATURE header all the time (might be a bug on our side…)

you’re right, I just checked what is reported by the webhook on Shotgun side, but not what I am actually getting. I’ll double check, thanks