How to calculate signature for YouTube PubSubHubbub data

Question

I have been working on YouTube Push Notifications Subscription.

I'm able to subscribe for it and did received push notifications from YouTube. I have used HMAC secret for this subscription. I need to confirm that the data I'm receiving is sent from the YouTube server. I can't find any document to get to know about how PubSubHubbub is creating signature.

I have tried the following steps:

1. did normalized the request body (which is XML content),
2. did created SHA1 digest in HEX form.

But this signature doesn't match with the one sent from PubSubHubbub.

Could anyone please explain the steps to calculate signature for this purpose?

Thanks in advance.

Answer 1

According to the official docs of PubSubHubbub Core (v0.4, the latest), you have to follow precisely the algorithm described there:

8. Authenticated Content Distribution

If the subscriber supplied a value for hub.secret in their subscription request, the hub MUST generate an HMAC signature of the payload and include that signature in the request headers of the content distribution request. The X-Hub-Signature header's value MUST be in the form sha1=signature where signature is a 40-byte, hexadecimal representation of a SHA1 signature [RFC3174]. The signature MUST be computed using the HMAC algorithm [RFC2104] with the request body as the data and the hub.secret as the key.

When subscribers receive a content distribution request with the X-Hub-Signature header specified, they SHOULD recompute the SHA1 signature with the shared secret using the same method as the hub. If the signature does not match, subscribers MUST still return a 2xx success response to acknowledge receipt, but locally ignore the message as invalid. Using this technique along with HTTPS [RFC2818] for subscription requests enables simple subscribers to receive authenticated notifications from hubs without the need for subscribers to run an HTTPS [RFC2818] server.

Please note however that this signature only ensures that the payload was not forged. Since the notification also includes headers, these should not be considered as safe by the subscriber, unless of course the subscriber uses HTTPS [RFC2818] callbacks.

If you'll mention the programming environment that you use, I may help you further.