PHP

How to verify the authenticity of data received from VKontakte?

VK recently launched Community Apps . Regular iframe, get-parameters with user id are passed to the iframe address, and other info...
For security, I need to make sure that these get-parameters are not faked by the user. The documentation seems to have a solution for this:

Among the launch parameters, sign is passed - the signature of the request. With it, you can make sure that the request data has not been spoofed on the client side.
PHP code example for request signature verification:

$sign = ""; 

foreach ($request->getParams() as $key => $param) { 

    if ($key == 'hash' || $key == 'sign') continue; 

    $sign .=$param; 

} 

$secret = 'SECRET_KEY'; 

$sig = $secret ? hash_hmac('sha256', $sign, $secret) : "";

This code creates a $sign variable, then iterates through all the get parameters, skipping hash and sign, and writes the rest to $sign. Further, sha256 values ​​of the get parameters are written to $sig, using the key from $secret; I did everything the same, but when comparing $sig and the sign get parameter, the strings do not match. Did I do something wrong?
My code:

$sign = '';
    
    foreach ($this->input->get() as $key => $value)
    {
      if ($key == 'hash' || $key == 'sign') continue; 
      
      $sign .= $value;
    }
    
    $secret = 's91kf39194ksk141jSdsj1';
    
    $sig = $secret ? hash_hmac('sha256', $sign, $secret) : '';

    echo $sig == $this->input->get('sign');

Outputs nothing, i.e. strings are not equal