Yes I was finally able to put together the code to verify the signed requests. We're using python/django and are using the misnamed but excellent lib oauth2. You can get it here.
Below is the code for the function that receives the status call from eloqua and it verifies the request.
from django.http import HttpResponse
import oauth2 as oauth
def status(request):
params = request.GET.copy()
req_obj = oauth.Request.from_request('GET', **FULL URL WITH PATH BUT NO QUERY STRING**, **DICT OF HTTP HEADERS**, params)
consumer = oauth.Consumer(**YOUR APP CLIENTID**, **YOUR APP SECRET**)
srv = oauth.Server(signature_methods={'HMAC-SHA1':oauth.SignatureMethod_HMAC_SHA1()})
# This will throw an exception if the signiture is invalid or expired
srv.verify_request(req_obj, consumer, None)
return HttpResponse('')
A thing to note is that this process is using the one legged Oauth 1.0a process, so there is no token involved. The library basically takes the headers and parameters passed, sorts them lexicographically and creates a string of the method, url and parameters. This string is then encoded to produce the signature. There are many moving parts here, so it'll be better to use a lib for this that already solves this problem. The issue in my case was finding a lib that worked with the token missing, i.e. one legged oauth.
Anyhow, now with this done we can verify status & enable requests from eloqua but we can't do this with the actionURL as it is currently not signed.