diff --git a/src/webhooks/gitea.js b/src/webhooks/gitea.js
index d61ddd8..3f5a35d 100644
--- a/src/webhooks/gitea.js
+++ b/src/webhooks/gitea.js
@@ -15,8 +15,31 @@ function verifySignature(req, secret) {
   }
   const hmac = crypto.createHmac('sha256', secret);
   hmac.update(JSON.stringify(req.body));
-  const expected = `sha256=${hmac.digest('hex')}`;
-  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
+  const rawExpected = hmac.digest('hex'); // 64 hex chars
+  // Extract raw hex from signature (strip algorithm prefix if present)
+  let rawSignature = signature;
+  if (signature.startsWith('sha256=')) {
+    rawSignature = signature.substring(7);
+  } else if (signature.startsWith('sha1=')) {
+    rawSignature = signature.substring(5);
+  }
+  // Ensure both are hex strings of length 64 (for SHA256) or 40 (for SHA1)
+  logger.debug('Signature verification', {
+    signature,
+    rawSignature,
+    rawExpected,
+    sigLen: rawSignature.length,
+    expLen: rawExpected.length
+  });
+  if (rawSignature.length !== rawExpected.length) {
+    logger.warn('Signature length mismatch', { rawSignatureLength: rawSignature.length, rawExpectedLength: rawExpected.length });
+    return false;
+  }
+  // Compare buffers (hex decoding)
+  return crypto.timingSafeEqual(
+    Buffer.from(rawSignature, 'hex'),
+    Buffer.from(rawExpected, 'hex')
+  );
 }
 
 /**