I am trying to build a receiver for OpenProject webhooks, which will integrate incoming webhooks from OpenProject with Discord and potentially other services in the future, but am running into a wall with the signature.

Looking at the webhook job worker it seems the webhook's signature is generated as an HMAC hash of the request data, but trying to recreate this hash in Go falls flat:

type Wrapper struct {
	Data string `json:"data"`
}

func ReceiveWebhook() {
	var wrapper Wrapper
	wrapperMap := map[string]interface{}{
		"data": string(body),
	}
	wrapperString, _ := json.Marshal(wrapperMap)
	ops.logger.Println(string(wrapperString))
	json.Unmarshal(wrapperString, &wrapper)
	ops.logger.Println(wrapper.Data)

	signature := r.Header["X-Op-Signature"]
	h := hmac.New(sha1.New, []byte(webhook["secret"].(string)))
	h.Write([]byte(wrapper.Data))
	ops.logger.Printf("%x", h.Sum(nil))
	ops.logger.Println(signature)
}

The reason for implementing the signature the way I did, is because it seems Ruby's to_json method generates an escaped JSON string (correct me if I'm wrong - I already tried the raw request body with and without indents) but the signatures never match.