From 2130593365ccfe09ecdc61e80b7e5705e9338b77 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Nov 18 2016 09:50:49 +0000
Subject: Document the obvious about signatures


Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/doc/usage/using_webhooks.rst b/doc/usage/using_webhooks.rst
index 2c1b8ec..f138a40 100644
--- a/doc/usage/using_webhooks.rst
+++ b/doc/usage/using_webhooks.rst
@@ -35,6 +35,10 @@ check that the message comes from pagure.
 ``X-Pagure-Signature-256`` contains the SHA-256 signature of the message
 allowing to check that the message comes from pagure.
 
+.. note:: These headers are present to allow you to verify that the webhook
+        was actually sent by the correct Pagure instance. These are not
+        included in the signed data.
+
 Pagure relies on ``hmac`` to sign the content of its messages. If you want
 to validate the message, in python, you can do something like the following: