Skip to main content
Published: October 31 2006, 4:26:00 PMUpdated: November 28 2020, 2:57:40 PM

The hashkey generated (using the format described in the document) does not match the notification signature returned in the Notification payload. What should I do?


 The steps and formula of generating a  notification signature hash are:

    1. create a string as below: 
             eBayTimeGMTString + DevId + AppId + CertId
    2. create and instantiate a MessageDigest object with MD5 algorithm
    3. compute the MD5 hash with the string byte array
    4. convert the hash to Base64 encoding

 Please keep in mind that the notification signatures returned in eBay Platform Notification payloads are generated based on GMT time. To validate the notification hash, you must make sure to pass a GMT timestamp string to your computing routine.

Detailed Description

  The Timestamp in the notification SOAP message is a Calendar object. When you read the timestamp and pass it to a Calendar instance as below,  Java VM automatically set the calendar's timezone to your machine's timezone. 
       java.util.Calendar timestamp = transactionResponse.getTimeStamp(); 

  You then need to reset the Calendar object's TimeZone to GMT  and formate the string using SimpleDateFormat class to get the notification's GMT string.  

 We have provided two methods : generateSignatureStr() and convertToGMTString(). The following code illustrates how to validate the notification signature using these two Java utilities.

     private final String devId =  "";
     private final String appId=   "" ;
     private final String cert=    "";

     If your  notification listener is  implemented with JAXB and SAAJ  java frameworks,  the TimeStamp is returned in XMLGregorianCalendar.

     javax.xml.datatype.XMLGregorianCalendar xmlCal=transResp.getTimestamp();
     java.util.Calendar timestamp =xmlCal.toGregorianCalendar();
     String timeStr = convertToGMTString(timestamp);
     try {
            String signature = generateSignatureStr(timeStr, devId,appId,cert);
        }catch(NoSuchAlgorithmException nsae){}

    If you copy/paste the Timestamp string directly from the notification payload,  you can pass the GMT time string to the getNotificationSignature() method :

     String timestampGmtString =    "2006-10-18T19:56:47.349Z"

     String signature =   generateSignatureStr(timestampGmtString , devId,appId,cert);

     public static String  generateSignatureStr(String responseTime,
                                  String devName, String appName, String certificate) throws NoSuchAlgorithmException {
  md5 ="MD5");
           String s = responseTime + devName + appName + certificate;
           return org.apache.axis.encoding.Base64.encode(md5.digest(s.getBytes()));

     public static String convertToGMTString(java.util.Calendar cal){
           java.text.SimpleDateFormat fmt = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"); 
           fmt.setTimeZone( TimeZone.getTimeZone("GMT"));
           java.util.Date date = cal.getTime();
           String timeStr = fmt.format(date); 
           return timeStr;

NOTE.  The org.apache.axis.encoding.Base64 class is used in the generateSignatureStr() method that you need to include a standard axis library in your Java classpath.

Additional Resources

How well did this answer your question?
Answers others found helpful