cblown call me daft but are you not better simply storing the hash output you generated using PHP and setting the variable to that, rather than trying to generate this in FreeMarker?
If the challenge and secret key are unlikely to change then it shouldn't cause any problems. This would also be a bit more secure as the challenge string and secret key are not stored then on the community only the hashed output.
There is cleary something different in the way the hash is genered between PHP and FreeMarker, for example I notice that you wrap the entire code in base64_encode for PHP:
echo base64_encode(hash_hmac('sha256', "the quick brown fox jumps over the lazy dog", base64_decode("12345678901234567890") , true));but don't do the same in FreeMarker, you're only decoding the key:
<#assign signature = utils.digest.hmac("HmacSHA256", utils.base64.decode("12345678901234567890”), "the quick brown fox jumps over the lazy dog") />There could be something in that which we're missing.
