diff --git a/services/python-ci.py b/services/python-ci.py
index 825f402..950cf44 100755
--- a/services/python-ci.py
+++ b/services/python-ci.py
@@ -13,6 +13,8 @@ from gitlab import Gitlab
 import urllib.request
 import json
 import argparse
+import hmac
+import hashlib
 
 
 def gitlab_build(payload, gl):
@@ -112,23 +114,33 @@ def gitea_build(payload, token):
         route_name="gitea_payload", renderer="json", request_method="POST"
 )
 class GiteaHook(object):
-
     def __init__(self, request):
-        self.request = request
-        self.payload = self.request.json
+        self.payload = request.json
         self.whitelist = ['nyanloutre/site-musique', 'nyanloutre/site-max']
-        self.secret = open(args.secret, 'r').readline().splitlines()[0]
-        self.gitea_token = open(args.gitea_token, 'r').readline().splitlines()[0]
+        self.gitea_token = open(args.gitea_token, 'r').readline().strip()
 
-    @view_config(header="X-Gitea-Event:push")
+    @view_config(header=["X-Gitea-Event:push", "X-Gitea-Signature"], check_hmac=True)
     def push_hook(self):
-        if self.payload['repository']['full_name'] in self.whitelist and self.payload['secret'] == self.secret:
+        if self.payload['repository']['full_name'] in self.whitelist:
             pool.apply_async(gitea_build, (self.payload, self.gitea_token))
             return "build started"
         else:
             raise HTTPNotFound
 
 
+class CheckHmacPredicate(object):
+    def __init__(self, val, info):
+        self.secret = open(args.secret, 'r').readline().strip().encode()
+
+    def text(self):
+        return 'HMAC checking enabled'
+
+    phash = text
+
+    def __call__(self, context, request):
+        payload_signature = hmac.new(self.secret, request.body, hashlib.sha256).hexdigest()
+        return hmac.compare_digest(request.headers["X-Gitea-Signature"], payload_signature)
+
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description='CI server')
     parser.add_argument('--address', help='listening address', default='127.0.0.1')
@@ -139,10 +151,13 @@ if __name__ == "__main__":
     parser.add_argument('--gitea-token', help='gitea token file')
     args = parser.parse_args()
 
+
     pool = Pool(1)
 
     config = Configurator()
 
+    config.add_view_predicate('check_hmac', CheckHmacPredicate)
+
     config.add_route("gitlab_payload", "/gitlab_payload")
     config.add_route("gitea_payload", "/gitea_payload")
     config.scan()