Hello .

I’m experiencing an issue with the hmac and hashlib modules in my Python 3.11 service, and I’d appreciate your help in understanding what might be happening.

Problem:

The standard hmac.new() function (and manual HMAC implementations using hashlib.sha256) are not producing the expected SHA256 HMAC hashes, even in a clean Docker environment (python:3.11-slim). This breaks Telegram bot authentication, which relies on correct HMAC-SHA256 verification.

What I’ve tried:

Using uvicorn with a custom start.py to correctly read $PORT

Building with a Dockerfile to ensure a clean Python environment

Testing HMAC logic in isolation — it consistently returns incorrect results

Verified inputs (secret_key, data_check_string) are correct

Despite everything, hmac.new(key, msg, hashlib.sha256).hexdigest() returns a hash that does not match the one expected by Telegram.

Environment:

Runtime: Docker (python:3.11-slim)

Custom start.py used to avoid $PORT issues

hmac, hashlib, and sha256 appear to be available, but results are incorrect

Question:

Is there any known issue or patch applied to the Python environment (e.g., in the base image, musl, or C libraries) that could affect the behavior of hmac or hashlib.sha256?

Could such cryptographic functions be modified or replaced in any way in the underlying build environment?

Any insight would be very helpful. I’d love to keep using Railway, but this issue is blocking a core part of my app.