http_signature 0.0.7 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 33793ff4276cb6c366f88d15abb0e38b69cdb468
-  data.tar.gz: cde3efe53a20f5ef8a94c2ed21b9341300f4ed76
+SHA256:
+  metadata.gz: 0d4b1e73dff1838a018f5e0d5bef1c6a6a14c2b8ef552dbbfd0481ac85cb03b7
+  data.tar.gz: 1a087ded86d8f84213984d9bd56fb55462f65feb9abc876514249f12fc5166ef
 SHA512:
-  metadata.gz: 88cf8f428a7bafd0971b4e8d0650c8b9ee15c8f74794347afa7cdaed32da0462468f4a7f1471f1f4578886009801a822dcf990481d859dac5fa3e9b65e2e8630
-  data.tar.gz: 516d8a279e8a340df3e2aae7e8b1bd313229dd8e8643c81bda7caea37e321d1e812e692afabe2b4535281c6c35970b2b62286ffdd07178fa5a57ca2c63d0c72f
+  metadata.gz: 7796499163d70782ea0fd809316c39a4d2a933cf01cc88f6daaa88d673607e9a138643d666fc5080063ea0bdb1068d32c48642fb487c59d6edcb7626fba7ad8e
+  data.tar.gz: 1603d71ad33fc087e456949de3e1534f3cf08c894a3fe10a3f456f6751409ddbbda247a53511d201866cf10f629e2c676fbe2eaa7cb0e0535dae81a2cad6e2a2

data/.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run tests with coverage
+        env:
+          COVERAGE: "true"
+        run: bundle exec rake test
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-html
+          path: coverage/
+          if-no-files-found: warn
+

data/.github/workflows/standardrb.yml

@@ -0,0 +1,15 @@
+name: Standard Ruby
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+    steps:
+    - name: Standard Ruby
+      uses: standardrb/standard-ruby-action@v1
+      with:
+        autofix: false

data/.gitignore

@@ -1 +1,3 @@
 *.gem
+coverage/
+node_modules

data/.ruby-version

@@ -1 +1 @@
-2.4.0
+3.4.8

data/Gemfile

@@ -1,4 +1,5 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
+
+ruby "3.4.8"
 
-# Specify your gem's dependencies in rpc.gemspec
 gemspec

data/Gemfile.lock

@@ -1,26 +1,159 @@
 PATH
   remote: .
   specs:
-    http_signature (0.0.7)
+    http_signature (1.0.0)
+      base64
 
 GEM
   remote: https://rubygems.org/
   specs:
-    faraday (0.15.0)
-      multipart-post (>= 1.2, < 3)
-    minitest (5.10.3)
-    multipart-post (2.0.0)
-    rake (12.2.1)
+    actionpack (8.1.1)
+      actionview (= 8.1.1)
+      activesupport (= 8.1.1)
+      nokogiri (>= 1.8.5)
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+      useragent (~> 0.16)
+    actionview (8.1.1)
+      activesupport (= 8.1.1)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (8.1.1)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    ast (2.4.3)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    builder (3.3.0)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    crass (1.0.6)
+    docile (1.4.1)
+    drb (2.2.3)
+    erubi (1.13.1)
+    faraday (2.14.0)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
+    i18n (1.14.8)
+      concurrent-ruby (~> 1.0)
+    json (2.18.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    loofah (2.25.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (6.0.0)
+      prism (~> 1.5)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    nokogiri (1.19.0-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.19.0-x86_64-linux-gnu)
+      racc (~> 1.4)
+    parallel (1.27.0)
+    parser (3.3.10.0)
+      ast (~> 2.4.1)
+      racc
+    prism (1.7.0)
+    racc (1.8.1)
+    rack (3.2.4)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rack-test (2.2.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.3.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.2)
+      loofah (~> 2.21)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    rainbow (3.1.1)
+    rake (13.3.1)
+    regexp_parser (2.11.3)
+    rubocop (1.81.7)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-performance (1.26.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+    ruby-progressbar (1.13.0)
+    securerandom (0.4.1)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    standard (1.52.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.81.7)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.8)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.9.0)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.26.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    uri (1.1.1)
+    useragent (0.16.11)
 
 PLATFORMS
-  ruby
+  arm64-darwin-25
+  x86_64-linux
 
 DEPENDENCIES
+  actionpack (>= 6.1)
   bundler
-  faraday
+  faraday (>= 2.7)
   http_signature!
-  minitest
+  minitest (>= 5.24)
+  rack
   rake
+  simplecov
+  standard
+
+RUBY VERSION
+  ruby 3.4.8
 
 BUNDLED WITH
-   1.16.1
+  4.0.2

data/README.md

@@ -1,162 +1,156 @@
 # HTTP Signature
-[![CircleCI](https://circleci.com/gh/bolmaster2/http-signature.svg?style=svg)](https://circleci.com/gh/bolmaster2/http-signature)
 
-Create and validate HTTP request signature according to this draft: https://tools.ietf.org/html/draft-cavage-http-signatures-08
+Create and validate HTTP Message Signatures per [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) using the `Signature-Input` and `Signature` headers.
 
-Aims to only implement the creation and validation of the signature without any external dependencies.
-The idea is to implement adapters to popular http libraries to make it easy to use.
+Aims to only implement the creation and validation of signatures without any external dependencies. Adapters are provided for common HTTP libraries.
 
-## Installation
+__NOTE__: RFC 9421 signs components via two headers:
+```
+Signature-Input: sig1=("@method" "@authority" "@target-uri" "date");created=...
+Signature: sig1=:BASE64_SIGNATURE_BYTES:
 ```
+
+## Installation
+
+```shell
 gem install http_signature
 ```
 
 ## Usage
 
-```ruby
-require 'http_signature'
-```
+### Create signature
+
+`HTTPSignature.create` returns both `Signature-Input` and `Signature` headers that you can include in your request.
+
 
-### Basic
-The most basic usage without any extra headers. The default algorithm is `hmac-sha256`. This create the `Signature` header value. Next step is to add the value to the header and 💥 you're done!
 ```ruby
-HTTPSignature.create(
-  url: 'https://example.com/foo',
+headers = { 'date' => 'Tue, 20 Apr 2021 02:07:55 GMT' }
+
+sig_headers = HTTPSignature.create(
+  url: 'https://example.com/foo?pet=dog',
+  method: :get,
+  headers: headers,
   key_id: 'Test',
-  key: 'secret 🙈'
+  key: 'secret',
+  covered_components: %w[@method @target-uri date],
 )
-# 'keyId="Test",algorithm="hmac-sha256",headers="(request-target)",signature="OQ/dHqRW9vFmrW/RCHg7O2Fqx+3uqxJw81p6k9Rcyo4="'
+
+request['Signature-Input'] = sig_headers['Signature-Input']
+request['Signature'] = sig_headers['Signature']
 ```
 
-### With headers, query parameters and a body
-Uses both query parameters (in query string) and a `json` body as a `POST` request.
-Also shows how to set `rsa-sha256` as algorithm. The `digest` is as you see basically
-a `sha-256` digest of the request body.
+
+### Validate signature
+
+Call `valid?` with the incoming request headers (including `Signature-Input` and `Signature`)
 
 ```ruby
-params = {
-  param: 'value',
-  pet: 'dog'
-}
-
-body = '{"hello": "world"}'
-
-headers = {
-  'date': 'Thu, 05 Jan 2014 21:31:40 GMT',
-  'content-type': 'application/json',
-  'digest': HTTPSignature.create_digest(body),
-  'content-length': body.length
-}
-
-HTTPSignature.create(
-  url: 'https://example.com/foo',
-  method: :post,
-  query_string_params: params,
+HTTPSignature.valid?(
+  url: "https://example.com/foo",
+  method: :get,
   headers: headers,
-  key_id: 'Test',
-  algorithm: 'rsa-sha256',
-  key: File.read('key.pem'),
-  body: body
+  key: "secret"
 )
 ```
 
-### With digest header auto-added
-When digest header is omitted it's auto added as last header generated from the `body`:
+## Outgoing request examples
+
+### NET::HTTP
 
 ```ruby
-body = '{"foo": "bar"}'
+require 'net/http'
+require 'http_signature'
 
-HTTPSignature.create(
-  url: 'https://example.com/foo',
-  key_id: 'Test',
-  key: 'secret 🙈',
-  body: body
-)
-# 'keyId="Test",algorithm="hmac-sha256",headers="(request-target) digest",signature="3Jm5jnCSKX3fYLd58RqRdafZKeuSbUEPhn7grCGx4vg="'
-```
+uri = URI('http://example.com/hello')
 
-### Validate asymmetric signature
-With an asymmetric algorithm you can't just recreate the same header and see if they
-check out, because you need the private key to do that and because the one validating
-the signature should only have access to the public key, you need to validate it with that.
+Net::HTTP.start(uri.host, uri.port) do |http|
+  request = Net::HTTP::Get.new(uri)
 
-Imagine the incoming HTTP request looks like this:
-```
-POST /foo HTTP/1.1
-Host: example.com
-Date: Thu, 05 Jan 2014 21:31:40 GMT
-Content-Type: application/json
-Content-Length: 18
-Digest: SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
-Signature: keyId="Test-1",algorithm="rsa-sha256",headers="(request-target) host date content-type content-length digest",signature="YGPVM1tGHD7CHgTmroy9apLtVazdESzMl4vj1koYHNCMmTEDor4Om5TDZDFaJdny5dF3gq+PQQuPwyknNEvACmSjwVXzljPFxaY/JMZTqAdD0yHTP2Rx0Y/J4GwgKARWTZUmccfVYsXp86PhIlCymzleZzYCzj6shyg9NB7Ht+k="
-
-{"hello": "world"}
-```
+  sig_headers = HTTPSignature.create(
+    url: request.uri,
+    method: request.method,
+    headers: request.each_header.map { |k, v| [k, v] }.to_h,
+    key: 'MYSECRETKEY',
+    key_id: 'KEY_1',
+    algorithm: 'hmac-sha256',
+    body: request.body ? request.body : ''
+  )
 
-Let's assume we have this request ☝️ in a `request` object for the sake of the example:
-```ruby
-HTTPSignature.valid?(
-  url: request.url,
-  method: request.method,
-  headers: request.headers,
-  body: request.body,
-  key: OpenSSL::PKey::RSA.new('public_key.pem'),
-  algorithm: 'rsa-sha256'
-)
+  request['Signature-Input'] = sig_headers['Signature-Input']
+  request['Signature'] = sig_headers['Signature']
+
+  response = http.request(request) # Net::HTTPResponse
+end
 ```
 
-## Example usage with middleware
-### Faraday middleware on outgoing requests
-Example of using it on an outgoing request.
+### Faraday
+
+As a faraday middleware
+
 ```ruby
 require 'http_signature/faraday'
 
-HTTPSignature::Faraday.key = 'MySecureKey' # This should be long and random
-HTTPSignature::Faraday.key_id = 'key-1' # For the recipient to know which key to decrypt with
+HTTPSignature::Faraday.key = 'secret'
+HTTPSignature::Faraday.key_id = 'key-1'
 
-
-# Tell faraday to use the middleware. Read more about it here: https://github.com/lostisland/faraday#advanced-middleware-usage
 Faraday.new('http://example.com') do |faraday|
   faraday.use(HTTPSignature::Faraday)
   faraday.adapter(Faraday.default_adapter)
 end
 
-# Now this request will contain the `Signature` header
+# Now this request will contain the `Signature-Input` and `Signature` headers
 response = conn.get('/')
 
 # Request looking like:
-# GET / HTTP/1.1
-# User-Agent: Faraday v0.15.0
-# Signature: keyId="key-1",algorithm="hmac-sha256",headers="(request-target) date",signature="EzFa4vb0z+VFF8VYt9qQlzF9MTf5Izptc02OJ7aajnU="
+# Signature-Input: sig1=("@method" "@authority" "@target-uri" "date");created=...
+# Signature: sig1=:BASE64_SIGNATURE:
 ```
 
-### Rack middleware for incoming requests
-I've written a quite sloppy but totally usable rack middleware that validates every incoming request.
+## Incoming request examples
+
+### Rack middleware
+Rack middlewares sits in between your app and the HTTP request and validate the signature before hitting your app. Read more about [rack middlewares here](https://codenoble.com/blog/understanding-rack-middleware/).
+
+Here is how it could be used with sinatra:
 
-#### General rack application
-Sinatra for example
 ```ruby
 require 'http_signature/rack'
 
-HTTPSignature.config(keys: [{ id: 'key-1', value: 'MySecureKey' }])
-# You can exclude paths where you don't want to validate the signature:
-HTTPSignature::Rack.exclude_paths = ['/']
+HTTPSignature.configure do |config|
+  config.keys = [
+    {id: 'key-1', value: 'MySecureKey'}
+  ]
+end
+HTTPSignature::Rack.exclude_paths = ['/', '/hello/*']
 
 use HTTPSignature::Rack
 run MyApp
 ```
 
-#### Rails
-Checkout [this documentation](http://guides.rubyonrails.org/rails_on_rack.html). But in short, add this inside the config block:
+### Rails
+Opt-in per controller/action using a before_action. It responds with `401 Unauthorized` if the signature is invalid
+
 ```ruby
-require 'http_signature/rack' # This doesn't have to be inside the block
-config.middleware.use HTTPSignature::Rack
+# app/controllers/api/base_controller.rb
+
+require 'http_signature/rails'
+
+class Api::BaseController < ApplicationController
+  include HTTPSignature::Rails::Controller
+
+  before_action :verify_http_signature!
+end
 ```
 
-Don't forget to set the keys somewhere, an initializer should be suitable. Multiple keys
-are supported to be able to easily be rotated.
+Set the keys in an initializer
 ```ruby
-HTTPSignature.config(keys: [{ id: 'key-1', value: 'MySecureKey' }])
+# config/initializers/http_signature.rb
+
+HTTPSignature.configure do |config|
+  config.keys = [
+    {id: 'key-1', value: 'MySecureKey'}
+  ]
+end
 ```
 
 
@@ -179,11 +173,9 @@ rake test TEST=test/http_signature_test.rb TESTOPTS="--name=/appends\ the\ query
 ## License
 This project is licensed under the terms of the [MIT license](https://opensource.org/licenses/MIT).
 
-## Todo
-- Add more example of use with different http libraries
-- Refactor `.valid?` to support all algorithms
-- Implement algorithms:
-  - ecdsa-sha256
-- When creating the signing string, follow the spec exactly:
-  https://tools.ietf.org/html/draft-cavage-http-signatures-08#section-2.3,
-  e.g, concatenate multiple instances of the same headers and remove surrounding whitespaces
+## Why/when should I use this?
+When you need to make sure that the request or response has not been tampered with (_integrity_). And you can be sure that the request was sent by someone that had the key (_authenticity_). Don't confuse this with encryption, the signed message is not encrypted. It's just _signed_. You could add a layer of encryption on top of this. Or just use HTTPS and you're _kinda safe_ for not that much hassle, which is totally fine in most cases.
+
+[Read more about HMAC here](https://security.stackexchange.com/questions/20129/how-and-when-do-i-use-hmac/20301), even though you can sign your messages with RSA as well, but it's the same principle.
+
+Beware that this has not been audited and should be used at your own risk!

data/Rakefile

@@ -1,8 +1,8 @@
-require 'bundler/gem_tasks'
-require 'rake/testtask'
+require "bundler/gem_tasks"
+require "rake/testtask"
 
 Rake::TestTask.new do |t|
-  t.libs << 'test'
+  t.libs << "test"
   t.pattern = "test/**/*_test.rb"
   t.verbose = false
 end

data/bin/standardrb

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'standardrb' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("standard", "standardrb")

data/http_signature.gemspec

@@ -1,24 +1,33 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "http_signature/version"
 
 Gem::Specification.new do |spec|
-  spec.name          = 'http_signature'
-  spec.version       = '0.0.7'
-  spec.authors       = ['Joel Larsson']
-  spec.email         = ['bolmaster2@gmail.com']
+  spec.name = "http_signature"
+  spec.version = HTTPSignature::VERSION
+  spec.authors = ["Joel Larsson"]
+  spec.email = ["bolmaster2@gmail.com"]
 
-  spec.summary       = 'Create and validate HTTP request signature'
-  spec.description   = 'Create and validate HTTP request signature according to draft: https://tools.ietf.org/html/draft-cavage-http-signatures-09'
-  spec.homepage      = 'https://github.com/bolmaster2/http-signature'
-  spec.license       = 'MIT'
+  spec.summary = "Create and validate HTTP Message Signatures"
+  spec.description = "Create and validate HTTP Message Signatures according to RFC 9421: https://www.rfc-editor.org/rfc/rfc9421.html"
+  spec.homepage = "https://github.com/bolmaster2/http-signature"
+  spec.license = "MIT"
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.bindir        = 'exe'
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ['lib']
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
 
-  spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'minitest'
-  spec.add_development_dependency 'faraday'
+  spec.required_ruby_version = ">= 3.0.0"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest", ">= 5.24"
+  spec.add_development_dependency "rack"
+  spec.add_development_dependency "faraday", ">= 2.7"
+  spec.add_development_dependency "standard"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "actionpack", ">= 6.1"
+
+  spec.add_dependency "base64"
 end

data/lib/http_signature/faraday.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'http_signature'
-require 'faraday'
+require "http_signature"
+require "faraday"
 
 class HTTPSignature::Faraday < Faraday::Middleware
   class << self
@@ -9,10 +9,10 @@ class HTTPSignature::Faraday < Faraday::Middleware
   end
 
   def call(env)
-    raise 'key and key_id needs to be set' if self.class.key.nil? || self.class.key_id.nil?
+    raise "key and key_id needs to be set" if self.class.key.nil? || self.class.key_id.nil?
 
     body =
-      if env[:body] && env[:body].respond_to?(:read)
+      if env[:body]&.respond_to?(:read)
         string = env[:body].read
         env[:body].rewind
         string
@@ -21,20 +21,22 @@ class HTTPSignature::Faraday < Faraday::Middleware
       end
 
     # Choose which headers to sign
-    filtered_headers = %w{ Host Date Digest }
-    headers_to_sign = env[:request_headers].select { |k, v| filtered_headers.include?(k.to_s) }
+    filtered_headers = %w[Host Date Content-Digest]
+    headers_to_sign = env[:request_headers].select { |k, _v| filtered_headers.include?(k.to_s) }
 
-    signature = HTTPSignature.create(
+    signature_headers = HTTPSignature.create(
       url: env[:url],
       method: env[:method],
       headers: headers_to_sign,
       key: self.class.key,
       key_id: self.class.key_id,
-      algorithm: 'hmac-sha256',
+      algorithm: "hmac-sha256",
       body: body
     )
 
-    env[:request_headers].merge!('Signature' => signature)
+    signature_headers.each do |header, value|
+      env[:request_headers][header] = value
+    end
 
     @app.call(env)
   end