How to verify a webhook. unmatch

I want to use square terminal to receive information from square API webhook and save it as a json file in a folder, but the Received Signature and Calculated Signature do not match. Whether I wrote it in perl or in php, the results did not match. The php code is below. I would be grateful if someone could help me.

<?php $secret = 'Webhook Signature key';
$request_body = file_get_contents("php://input");
$received_signature = $_SERVER['HTTP_X_SQUARE_SIGNATURE'];
$signing_data = $request_body;
$calculated_signature = hash_hmac('sha256', $signing_data, $secret);

file_put_contents('/path/to/log.txt', "Received Signature: " . $received_signature . "\n", FILE_APPEND);
file_put_contents('/path/to/log.txt', "Calculated Signature: " . $calculated_signature . "\n", FILE_APPEND);
if ($received_signature === $calculated_signature) {
file_put_contents('/path/to/log.txt', "Signatures match!\n", FILE_APPEND);
} else {
file_put_contents('/path/to/log.txt', "Signatures do not match.\n", FILE_APPEND);
}
?>

I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Square PHP SDK Quickstart
Using the Square PHP SDK
Build on Mobile Web

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

The code you’ve written seems correct for verifying the webhook signature. However, there are a few things you might want to check:

1. Ensure that the ‘Webhook Signature key’ you’re using is correct. You should use the signature key that Square provides in the Developer Dashboard for your application.

2. Make sure that the ‘HTTP_X_SQUARE_SIGNATURE’ header is being correctly received from the request. Some servers or configurations might change the case or format of the header.

3. The data used to calculate the signature should be the raw body of the webhook POST request. Make sure that ‘php://input’ is correctly fetching the raw body data.

4. Check that the ‘sha256’ hashing algorithm is correctly installed and functioning in your PHP environment.

If you’ve checked all these and you’re still having issues, it might be worth logging the raw request body and the headers received to ensure they contain the data you’re expecting.

This answer was reviewed by @Bryan-Square.

Thank you for your reply. The situation is as follows.

1. The signature key is used correctly.

2. The environment is unknown, but the Received Signature exists.

3. $request_body = file_get_contents(“php://input”); is set.

4. It has been confirmed that sha256 can be used in the server environment.

The following results were returned from the test in the sandbox environment.

Received Signature: B8wxaiaifuY7vE/8bpGlSpfs0Gg=

Calculated Signature: fd4450c9cfd312ca43fdd15431b39cf75053b392858a1d4916bea1c9454519f9

Request Body: {“merchant_id”:“6SSW7HV8K2ST5”,“type”:“payment.created”,“event_id”:“13b867cf-db3d-4b1c-90b6-2f32a9d7812 4”,“created_at”:“2020-02-06T21:27:30.792Z”,“data”:{“type”:“payment”,“id”:“KkAkhdMsgzn59SM8A89WgKwekxLZY” ,“object”:{“payment”:{“amount_money”:{“amount”:100,“currency”:“USD”},“approved_money”:{“amount”:100,“cur rency”:“USD”},“capabilities”:[“EDIT_TIP_AMOUNT”,“EDIT_TIP_AMOUNT_UP”,“EDIT_TIP_AMOUNT_DOWN”],“card_detai ls”:{“avs_status”:“AVS_ACCEPTED”,“card”:{“bin”:“540988”,“card_brand”:“MASTERCARD”,“card_type”:“CREDIT”, “exp_month”:11,“exp_year”:2022,“fingerprint”:“sq-1-Tvruf3vPQxlvI6n0IcKYfBukrcv6IqWr8UyBdViWXU2yzGn5VMJvr sHMKpINMhPmVg”,“last_4”:“9029”,“prepaid_type”:“NOT_PREPAID”},“card_payment_timeline”:{“authorized_at”:“2 020-11-22T21:16:51.198Z”},“cvv_status”:“CVV_ACCEPTED”,“entry_method”:“KEYED”,“statement_description”:“SQ *DEFAULT TEST ACCOUNT”,“status”:“AUTHORIZED”},“created_at”:“2020-11-22T21:16:51.086Z”,“delay_action”:“CANCEL”,“delay_duration”:“PT168H”,“delayed_until”:“2020 -11-29T21:16:51.086Z”,“id”:“hYy9pRFVxpDsO1FB05SunFWUe9JZY”,“location_id” :“S8GWD5R9QB376”,“order_id”:“03O3USaPaAaFnI6kkwB1JxGgBsUZY”,“receipt_num ber”:“hYy9”,“risk_evaluation”:{“created_at”:“2020-11-22T21:16:51.198Z”,“risk_level”:“NORMAL”},“source_type”:“CARD”,“status”:“APPROVED”,“total_mo ney”:{“amount”:100,“currency”:“USD”},“updated_at”:“2020-11-22T21:16:51.198Z”,“version_token”:“FfQhQJf9r3VSQIgyWBk1oqhIwiznLwVwJbVVA0bdyEv6o”}}}}

Additional information: Regarding HTTP_X_SQUARE_SIGNATURE, I ran error_log("Received signature header: " . $_SERVER[‘HTTP_X_SQUARE_SIGNATURE’], 3, ‘/path/to/logfile.log’);
and then the Received header was listed.
Is the signature key in the attached image okay?
Assuming there’s no problem, 1 to 4 seem to be cleared, so what’s the cause? I’d appreciate it if you could tell me.

Thanks for sharing. It helps me a lot.