I am creating public app but when I am trying to submit its getting stuck at
Provides mandatory compliance webhooks
- Verifies webhooks with HMAC signatures
Most likely your submission is failing because your app’s GDPR webhooks aren’t properly checking the HMAC signature on the webhooks.
Why is this an issue?
Well because that means your API endpoints for these webhooks are not secured properly, and without proper signature checking then your app is vulnerable to webhook spoofing by non-Shopify actors.
Based on your language / framework of choice this might be trivial.
I am using PHP webhook code and checked with chatgpt all seems fine. Can you help me to fix this?
Please don’t bother posting with comments like this. Be informative, be helpful.
Please help me as I need to fix this asap.
<?php
$sharedSecret = '\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*'; // your App Secret Key
$rawBody = file_get_contents('php://input');
$hmacHeader = $\_SERVER\['HTTP_X_SHOPIFY_HMAC_SHA256'\] ?? '';
$calculatedHmac = base64_encode(hash_hmac('sha256', $rawBody, $sharedSecret, true));
// Log everything
file_put_contents(
\__DIR_\_ . '/hmac_debug.log',
date('c') . "\\n" .
"Header: $hmacHeader\\n" .
"Calc: $calculatedHmac\\n" .
"Raw: $rawBody\\n\\n",
FILE_APPEND
);
if (!hash_equals($calculatedHmac, $hmacHeader)) {
http_response_code(401);
echo json_encode(\['error' => 'Invalid HMAC signature'\]);
exit;
}
http_response_code(200);
$payload = json_decode($data, true);
file_put_contents('webhook_log.txt', print_r($payload, true), FILE_APPEND);
This is what I am doing in verify_hmac file
We had this problem too even though our endpoints were all working.
Reach out to Partner support, they fixed it for us.