No.
The signature at V2 interface is MD5 or HMAC-SHA256, and the signature at V3 interface is asymmetric key SHA256-RSA.

The WeChat Pay callback contains the following four HTTP headers in the HTTP header:
1、Wechatpay-Timestamp
2、Wechatpay-Nonce
3、Wechatpay-Singature
4、Wechatpay-Serial Some proxy servers or CDN service providers will "filter" the HTTP headers of WeChat Pay extensions when forwarding, causing the application layer of signature verification to fail to obtain the signature information of WeChat Pay.
In that case, merchants should adjust the proxy server configuration or accept WeChat Pay callbacks through direct connection.

The error is caused by the wrongly set basic rules.
Both Accept and User-Agent need to be set.
1. Please refer to the following to set up Accept setting:
Content-Type: application/json Accept: The application/ json
2. Refer to the following tips for the setting of User-Agent:
HTTP agreement requires the requesting client to use User-Agent in the HTTP header to identify itself in each request. WeChat Pay recommends that the caller choose one of the following two methods:
A. Use the default User-Agent of the HTTP client.
B. Follow the HTTP agreement, and use the name and version of the system and application to form the unique User-Agent.
Note:
1. The error only exists in the V3 interface.
2. WeChat Pay API V3 is likely to refuse to process requests without User-Agent.

We recommend using the SDK provided by WeChat Pay. You can also view the sample codes in the following programming languages.

/**
  * 獲取私鑰。
  *
  * @param filename 私鑰文件路徑  (required)
  * @return 私鑰對(duì)象
  */
public static PrivateKey getPrivateKey(String filename) throws IOException {

  String content = new String(Files.readAllBytes(Paths.get(filename)), "utf-8");
  try {
    String privateKey = content.replace("-----BEGIN PRIVATE KEY-----", "")
        .replace("-----END PRIVATE KEY-----", "")
        .replaceAll("\\s+", "");

    KeyFactory kf = KeyFactory.getInstance("RSA");
    return kf.generatePrivate(
        new PKCS8EncodedKeySpec(Base64.getDecoder().decode(privateKey)));
  } catch (NoSuchAlgorithmException e) {
    throw new RuntimeException("當(dāng)前Java環(huán)境不支持RSA", e);
  } catch (InvalidKeySpecException e) {
    throw new RuntimeException("無(wú)效的密鑰格式");
  }
}

/**
* Read private key from file
*
* @param string    $filepath     PEM encoded private key file path
* 
* @return resource|bool     Private key resource identifier on success, or FALSE on error
*/
public static function getPrivateKey($filepath) {
    return openssl_get_privatekey(file_get_contents($filepath));
}

protected string sign(string message)
{
    // 需去除私鑰文件中的-----BEGIN/END PRIVATE KEY-----
    string privateKey = "MIIEvgIBADANBgkqhkiG...30HBe+GD1tntZgf6I1Y0ZpHZ";
    byte[] keyData = Convert.FromBase64String(privateKey);
    using (CngKey cngKey = CngKey.Import(keyData, CngKeyBlobFormat.Pkcs8PrivateBlob))
    using (RSACng rsa = new RSACng(cngKey))
    {
        byte[] data = System.Text.Encoding.UTF8.GetBytes(message);
        return Convert.ToBase64String(rsa.SignData(data, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
    }
}

package main
import (
  "crypto/x509"
  "encoding/pem"
  "fmt"
  "log"
)

func main() {
  var pemData = []byte(`
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1yhh6LNB8nXmOSxdGKWmDh0OxAM/wnGyHKSD9tcEhMQTe+wabce0POXzejCmwFBzZa7ZmxH5LoAeyT7Fpwb7pptbbDx58CxCYhNEdQ2XrFILUCq3daMj++KQlyDp8U0NspFKsO57gSlihAJ49DzcXQb7Vs5daIvtLapIouPyixAE5uDL+afmJ+bXC11xP5sPWw1RfXynW3vbEyfRol9hQyQWfmO15GSZi6TTAhTKaW31yKaQNChy06K+LsE9JAU+ESxihthtGiMbY3fFRyhF9Ka2e0wIOz6UdcfwMjxXWRV4OLD1uFG9IYbUiugmYtDyIYZaFDPYdi/+Rjm10Ps5lAgMBAAECggEAb19kRZ2lEWOM8D9S//opGZrKPuvneVrsJpZtDuLGcqZMfKvALYXLnZMzzEiE1cpMrmuOMUHaukxNytGGOOupIg7D/SszGv3QahCc6Ne83hwP1wa/5DDpS0RblIYqRrbgTPQTbk+Mk48Y43K0f2YN82KlHtnLNT7PRDIDX42Nwc1X8f4JcfyKUE/pOSn+YUlu5Edu6QYbWJWS7mlojEZ/wuWbSymbs6mVVkKeSWGTIh1v4n2F3Gj6ckUDlt4aZWTVcBa2+ZvSE2h5frSH0snpdGV1bW44IqE3NkwfTQ7JI34CVJdhb3goIyoTmiz6NGEZuiyr8gP9IOjqPfeP7GO5YQKBgQDuB1CT8ksO4SqR3skRkdCQW7kOogZgDThei+3HUMOsHr8L42oYkJDmk2res1ow/mz6SoIV4w6mvvUSnACxdtYA1AzUEs3jvltv8cQ1HAuDhLRslWrhSoxrQQh20yrVxxGN0J4DdCAGURSUwypzUHR+mlfcjacPyxKUsT41+8zG+QKBgQDDg8ZGivuV794RuA3cfpitUFG+0nA0ZS3qAZqlA3ufnCudHQixFIsf83Q7sX7pBob5PNONqsbv0OKpC3/xJRSPIwjWTBUPlDLrsGajKMhUPtkWo4zkfrSa8XaUpUVDU0qTzS71f9Aab3SkPH1d1o4cQxO08axGLbmTV/46QCBzQKBgDd7ZQDXPT+epHmT4HJD9sVvW9dZVPsWmckP/MC0xqdcE1QGEjjfmablPcfjLma1J1m//Ep1vniHkkBgNJkpBgDzbHoSWAN5335ccEug2d4yFIwq19rjsY9efUaVOirSV/kiY3KSotRWGeIDC+YNHtpTx58VNZes0gvutH2Iz9ahAoGAUcoWb/xEMv0dURxF8C+lfxtSlxlBhymsg3AYWV+Tn7mdJSS4Nhv592vI/A/Mn37zh+BCP8lpX3lq2HzPEPoKF7b4Q22ggdvlSQT6SMT8mTtfbyPSyRAQdWZQZnyVkTD3TvPDg7CKD1As8KFiFuXPAD2KgI9nVz6XhNBpjZ8rbyECgYEAsOrm1hbNZbvlNhnuUjw5DTgTuJ3B0j1aK/7C2EQWR+mIG2q5TKDC6xNdszV0gK1/TbJk4RNgQo0JLkuZ2Xk2Q8KhaNe+X8SYP9CFKIsXuhGrYI5ICjipov5oJqjESV4wle575eWwdPgF1ICabpIqdnX2MxS9tkk830uXxPrXpRA=
-----END PRIVATE KEY-----`)

  block, rest := pem.Decode(pemData)
  if block == nil || block.Type != "PRIVATE KEY" {
    log.Fatal("failed to decode PEM block containing public key")
  }

  pri, err := x509.ParsePKCS8PrivateKey(block.Bytes)
  if err != nil {
    log.Fatal(err)
  }

  fmt.Printf("Got a %T, with remaining data: %q", pri, rest)
}

Please find the cause of the error and the corresponding solution in the table below according to the message.

In order to help developers locate the error, we will add the verification information to the error detail detail of the response when there is a verification failure. The verification information is a variety of information we request Constructing a signature stringbased on the merchant's HTTP.

1. Method, HTTP request method

2. Url, requested URL

3. Truncated_sign_message, the signature string used during WeChat Pay verification (the line break is displayed as \n). For easy viewing, we truncated the body of the final request message.

4. sign_message_length, byte length of the signature string used in WeChat Pay verification

{
"code": "SIGN_ERROR",
"message": "Verification failed due to wrong signature",
"detail": {
    "field": "signature",
    "issue": "sign not match",
    "location": "authorization",
    "sign_information": {
        "method": "GET",
        "url": "/payscore/user-service-state?service_id=500001&appid=wxeaf7bf1de621b0c2&openid=oWm9Z5JQwgV7BKAQUeKsUMVSjTpQ",
        "truncated_sign_message": "GET\n/payscore/user-service-state?service_id=500001&appid=wxeaf7bf1de621b0c2&openid=oWm9Z5JQwgV7BKAQUeKsUMVSjTpQ\n1559194069\n18a427e78d2344e1a71156a2690cc4d6\n\n",
        "sign_message_length": 157
    }
}
}

We recommend that developers export the signature string they have assembled and the byte length of the signature string in the debugging information in the program, and carefully compare the verification information returned by WeChat Pay to check for the following common errors:

No line break character added to the last line of the signature string

If the body of the request message is empty (such as a GET request), the last line should be a line break character.

The parameters in the signature string are inconsistent with the actual requested parameters.

The manually spliced URL is inconsistent with the actual request sent. We recommend using the HTTP library to construct the request object or URL object, then use the corresponding method to obtain the URL.

Two timestamps generated at different time were used when you sign and set the Authorization header.

Two different random strings generated at different time were used when you sign and set the Authorization header.

The JSON strings serialized at different time were used as the request subject during signing and request.

Notice

Developers of merchants can generate and save key parameters in variables, and use them for signing and sending requests to avoid inconsistencies in information generated at different time.

Inconsistent text encoding

The generated signature string uses non-UTF-8 encoding or no specific encoding is set.

Wrong signature string construction sequence

The signature string was not constructed in the order required by the document.

Wrong merchant private key

Developers can use the following openssl command to check whether the private key and the modulus (the product of the two large prime numbers p and q) in the merchant certificate are consistent. If yes, the private key and certificate are paired.

$ openssl x509 -noout -modulus -in 1900009191_20180326_cert.pem
Modulus=C6D43C87B991...
$ openssl rsa -noout -modulus -in 1900009191_20180326_key.pem
Modulus=C6D43C87B991...

Notice

1. The modulus length is 2048 bits, and the output is 512 bytes.
2. Before checking the key matching, please check the certificate serial number to check whether it is the correct merchant certificate.

The callback of WeChat Pay contains the following four HTTP headers in the HTTP header:

1. Wechatpay-Timestamp

2. Wechatpay-Nonce

3. Wechatpay-Signature

4. Wechatpay-Serial

Some proxy servers or CDN service providers will "filter" the HTTP headers of WeChat Pay extensions when forwarding, causing the application layer of signature verification to fail to obtain the signature information of WeChat Pay. In that case, merchants should adjust the proxy server configuration or accept WeChat Pay callbacks through direct connection.