Signature verification in webhooks is a crucial security measure employed to ensure the integrity and authenticity of incoming data. Our webhook includes a signature which is a cryptographic hash derived from the payload and a shared secret. You are supposed to use this shared secret to independently compute the hash and compare it with the received signature. If the computed hash matches the received signature, it signifies that the payload has not been tampered with during transmission and originated from the expected source, thus, establishing trust and security. This verification mechanism safeguards against potential threats like data tampering and unauthorized access, enhancing the overall reliability of our webhook integration. There are 3 essentials steps to follow to ensure a proper signature verification. They are as follows;
1

Calculate HMAC Signature

Generate a secure Hash-based Message Authentication Code (HMAC) signature by applying a cryptographic hash function to the payload using a shared secret, ensuring data integrity.
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/base64"
    "fmt"
)

func main() {
    signatureKey := "..."
    payload := "{\"event_type\":\"payment_success\"...}"
    timestamp := headers["nomba-timestamp"]

    bytes := []byte(payload + ":" + timestamp)

    h := hmac.New(sha256.New, []byte(signatureKey))
    h.Write(bytes)
    hmacVal := h.Sum(nil)

    fmt.Println(base64.StdEncoding.EncodeToString(hmacVal))
}
2

Base64 Conversion

Convert the calculated HMAC signature into a Base64-encoded format, facilitating secure and efficient representation for transmission and validation in the webhook process.
package main

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/base64"
    "fmt"
)

func main() {
    hmacValBase64 := base64.StdEncoding.EncodeToString(hmacVal)
    fmt.Println(hmacValBase64)
}
3

Compare signatures

Verify the integrity of incoming data by comparing the computed HMAC signature with the received signature, ensuring a match to establish the authenticity of the webhook payload.
package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    digest := "..."
    signature := "..."

    valid := digest == signature
    fmt.Println(valid)
}