Google Cloud Storage Signed URL PUT Content-MD5

Question

I'm trying to create GCS signed URLs: https://cloud.google.com/storage/docs/access-control/create-signed-urls-program#signing-language

I want to have my clients upload directly to GCS. However, I'm running into the classic SignatureDoesNotMatch error. I think it might be something to do with the Content-MD5 digest.

I have a question about the documentation. In 2b, it says you can add an MD5 digest. In the example below that, it looks like the digest might be base64 encoded or something, but the instructions say nothing about encoding the digest. Anyone have any experience with this?

edit: in my latest run, I stopped using MD5 digests, and everything worked fine.

Answer 1

You guessed correctly, the MD5 digest has to be base64 encoded.

When you create a signed URL with an MD5 digest, your PUT request must include a Content-MD5 header (as specified here).

Quoting the standard:

Content-MD5   = "Content-MD5" ":" md5-digest
md5-digest    = <base64 of 128 bit MD5 digest as per RFC 1864>

The MD5 digest is computed based on the content of the entity-body, including any content-coding that has been applied, but not including any transfer-encoding applied to the message-body.

The MD5 digest that goes into the signature is the md5-digest above (hence the base64).

Also, this only works with PUT object upload (not with POST, or resumable uploads). As quoted above, care should be taken when using content-coding (Content-Encoding: gzip).