-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403 request signature does not match errors with 1.5.0 #97
Comments
Sorry for the trouble, and thank you for sharing what you found. I will try to reproduce. |
Would you mind doing a fresh deploy to GCF using |
The issue isn't actually with the signing failing, its that from 1.4.0 to 1.5.0 the actual policy output changed. I finally buckled down and created a simple test:
If you copy this code into a directory and call it test.js, and then copy a private key JSON file (downloaded from the google cloud console) into the same directory with the filename key.json, you can do the following to see the change:
You'll notice that for the exact same policy document and base64 data, the signature is different going from 1.4.0 to 1.5.0: there is no error, just a different signature value that isn't accepted by the cloud storage servers. |
Thanks for that. Indeed, we changed how we were generating the signed policy. I have sent a fix in #99. |
I have a Google Cloud Function that uses file.getSignedPolicy() and nodejs 6.11. In the package.json I was pointing to 1.2.0 like this:
"@google-cloud/storage": "^1.2.0",
After recently updating the function my browser form POST uploads using getSignedPolicy started failing with the following error:
<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>eyJleHBpcmF0aW9uIjoiMjAxNy0xMS0yOVQyMjoxNjoyMi4wMDhaIiwiY29uZGl0aW9ucyI6W1siZXEiLCIka2V5IiwiYjc2MzBhZjAtOThjNS00YjgwLTg2OWItMDAwMGY1MWZhNDJlLXJlZGJlYXItc3RvcmUucGRmIl0seyJidWNrZXQiOiJmYXhyb2NrZXQtZGF0YSJ9LFsiZXEiLCIkQ29udGVudC1UeXBlIiwiYXBwbGljYXRpb24vcGRmIl0seyJzdWNjZXNzX2FjdGlvbl9zdGF0dXMiOiIyMDAifSxbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwwLDIwMDAwMDAwXV19</StringToSign></Error>
Absolutely no change to the cloud function code that was doing the signing or the client upload code. After about an hour of mucking around, I updated the package.json to pin the version to 1.2.0:
"@google-cloud/storage": "1.2.0",
Everything works now. I don't have a clean way to be able to tell what the exact signature difference is, but I looked and realized there was a change in 1.5.0 to the getSignedPolicy function: it is doing something different when deployed in the Google Cloud Functions environment.
As an extra twist, the exact same code with 1.5.0 works when deployed in the function emulator: unfortunately I couldn't figure out how to compare the policy signature output of both versions side by side for the same input.
The text was updated successfully, but these errors were encountered: