The signature is just for the payload you receive with a POST request on an actual event on that topic.
The GET verify request doesnt have any signature you need to check instead you just echo back the challenge as plain text without any quotes or sth else.
Of course if you wish to do some checks on this, you could cache the topics you requested and check against that list on a GET verify request to cross check if its one of the topics you want if not just cancel the subsciption flow