It is good that you can verify signatures of webhooks from GitHub (JENKINS-33974) but an unfortunate restriction that you are limited to listing only one webhook secret. This would make it more difficult to configure multiple webhooks, or mixtures of manual webhooks and Apps, on a single Jenkins service. It would be useful to be able to set a list of webhook secrets, where an incoming hook would just need to match one of them.