We've recently noticed in our logs that the signature verification has been failing in certain cases (this didn't happen before and started happening in the last few weeks). I investigated further and noticed inconsistencies in the URL params.
Some examples (replaced shop name with "xxx" for privacy reasons):
SUCCESS
/oauth2/shopify?code=7e8ec807e9f4b29b6e6d352ff5a654cc&shop=xxx.myshopify.com×tamp=1353377082&signature=3edc31eb7d93813313e937a9ac1c6f8c
/oauth2/shopify?shop=xxx.myshopify.com&signature=63103f985dabf0f102fe7ce8335c9c4c×tamp=1353377555
FAILURES
/oauth2/shopify?shop=xxx.myshopify.com
/oauth2/shopify?code=&shop=xxx.myshopify.com×tamp=1353361621&signature=91927831bbbe9ca37472c2a3fa260a49
Notice that in the failure cases, parameters are either missing (no timestamp or signature in 1st request) or the "code" parameter is blank (for 2nd request).