Switch to SHA-256 HMAC

StevenMaude · Copilot · StevenMaude · commit 4f6a399ee470 · 2026-04-17T16:32:44.000+01:00
Remove uses of SHA-1 entirely.

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
diff --git a/main.go b/main.go
@@ -159,7 +159,7 @@ func ActionMakeTokens(_ context.Context, c *cli.Command) error {
 			log.Fatalf("URL %q doesn't parse: %v", arg, err)
 		}
 
-		mac := hookbot.Sha1HMAC(key, argURL.Path)
+		mac := hookbot.Sha256HMAC(key, argURL.Path)
 		if c.Bool("bare") {
 			fmt.Println(mac)
 		} else {
diff --git a/pkg/hookbot/auth.go b/pkg/hookbot/auth.go
@@ -2,16 +2,16 @@ package hookbot
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"regexp"
 	"strings"
 )
 
-func Sha1HMAC(key, payload string) string {
-	mac := hmac.New(sha1.New, []byte(key))
+func Sha256HMAC(key, payload string) string {
+	mac := hmac.New(sha256.New, []byte(key))
 	_, _ = mac.Write([]byte(payload))
 	return fmt.Sprintf("%x", mac.Sum(nil))
 }
@@ -67,14 +67,14 @@ func (h *Hookbot) IsKeyOK(w http.ResponseWriter, r *http.Request) bool {
 
 	// Try all subpaths and see if any of them matches the given MAC.
 	for _, subpath := range subpaths(r.URL.Path) {
-		expectedMac := Sha1HMAC(h.key, subpath)
+		expectedMac := Sha256HMAC(h.key, subpath)
 		if SecureEqual(givenMac, expectedMac) {
 			return true
 		}
 
 		// See if HMAC matches the URL without the {/pub,/sub} prefix.
 		// These tokens are valid for both pub and sub.
-		expectedMac = Sha1HMAC(h.key, noPrefix(subpath))
+		expectedMac = Sha256HMAC(h.key, noPrefix(subpath))
 		if SecureEqual(givenMac, expectedMac) {
 			return true
 		}
diff --git a/pkg/hookbot/auth_test.go b/pkg/hookbot/auth_test.go
@@ -42,7 +42,7 @@ func TestAuthMissingFail(t *testing.T) {
 func TestAuthInvalidSecret(t *testing.T) {
 	w, r := MakeRequest("POST", "/pub/", "MESSAGE")
 
-	token := Sha1HMAC(TEST_KEY, "/pub/not/the/same/as/above") // bad secret
+	token := Sha256HMAC(TEST_KEY, "/pub/not/the/same/as/above") // bad secret
 	r.SetBasicAuth(token, "")
 
 	func() {
@@ -61,7 +61,7 @@ func TestAuthInvalidSecret(t *testing.T) {
 func TestAuthSuccess(t *testing.T) {
 	w, r := MakeRequest("POST", "/pub/place", "MESSAGE")
 
-	token := Sha1HMAC(TEST_KEY, "/pub/place")
+	token := Sha256HMAC(TEST_KEY, "/pub/place")
 	r.SetBasicAuth(token, "")
 
 	func() {
@@ -80,7 +80,7 @@ func TestAuthSuccess(t *testing.T) {
 func TestAuthPubSub(t *testing.T) {
 
 	// Valid for both pub and sub, for lack of {/pub,/sub} prefix
-	token := Sha1HMAC(TEST_KEY, "/place")
+	token := Sha256HMAC(TEST_KEY, "/place")
 
 	w, r := MakeRequest("POST", "/pub/place", "MESSAGE")
 	r.SetBasicAuth(token, "")
@@ -118,7 +118,7 @@ func TestAuthPubSub(t *testing.T) {
 func TestAuthSuccessSubstring(t *testing.T) {
 	w, r := MakeRequest("POST", "/pub/place/sub/sub/sub", "MESSAGE")
 
-	token := Sha1HMAC(TEST_KEY, "/pub/place/")
+	token := Sha256HMAC(TEST_KEY, "/pub/place/")
 	r.SetBasicAuth(token, "")
 
 	func() {
@@ -138,7 +138,7 @@ func TestAuthSuccessSubstring(t *testing.T) {
 func TestAuthFailSubstring(t *testing.T) {
 	w, r := MakeRequest("POST", "/pub/post", "MESSAGE")
 
-	token := Sha1HMAC(TEST_KEY, "/pub/po")
+	token := Sha256HMAC(TEST_KEY, "/pub/po")
 	r.SetBasicAuth(token, "")
 
 	func() {
diff --git a/pkg/hookbot/hookbot_test.go b/pkg/hookbot/hookbot_test.go
@@ -13,7 +13,7 @@ func TestPubSub(t *testing.T) {
 		messages = hookbot.Add("test/topic").c
 
 		w, r := MakeRequest("POST", "/test/topic", "MESSAGE")
-		token := Sha1HMAC(TEST_KEY, "/test/topic")
+		token := Sha256HMAC(TEST_KEY, "/test/topic")
 		r.SetBasicAuth(token, "")
 
 		hookbot.ServeHTTP(w, r)
diff --git a/pkg/router/github/auth.go b/pkg/router/github/auth.go
@@ -2,20 +2,13 @@ package github
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"log"
 )
 
-func Sha1HMAC(key string, payload []byte) string {
-	mac := hmac.New(sha1.New, []byte(key))
-	_, _ = mac.Write(payload)
-	return fmt.Sprintf("%x", mac.Sum(nil))
-}
-
 func Sha256HMAC(key string, payload []byte) string {
 	mac := hmac.New(sha256.New, []byte(key))
 	_, _ = mac.Write(payload)
diff --git a/pkg/router/github/github.go b/pkg/router/github/github.go
@@ -75,7 +75,7 @@ func ActionRoute(_ context.Context, c *cli.Command) error {
 	outbound := make(chan listen.Message, 1)
 
 	publish := func(m hookbot.Message) bool {
-		token := Sha1HMAC(c.String("key"), []byte(m.Topic))
+		token := Sha256HMAC(c.String("key"), []byte(m.Topic))
 
 		outURL := fmt.Sprintf("https://%v@%v/pub/%s", token, target.Host, m.Topic)
 

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ func ActionMakeTokens(_ context.Context, c *cli.Command) error {`
`159`	`159`	`log.Fatalf("URL %q doesn't parse: %v", arg, err)`
`160`	`160`	`}`
`161`	`161`
`162`		`- mac := hookbot.Sha1HMAC(key, argURL.Path)`
	`162`	`+ mac := hookbot.Sha256HMAC(key, argURL.Path)`
`163`	`163`	`if c.Bool("bare") {`
`164`	`164`	`fmt.Println(mac)`
`165`	`165`	`} else {`