Incorrectly assumes ETag and MD5 are equivalent

[cyberduck]

48ab3a7 created the issue

Cyberduck assumes that the ETag returned by S3 is equivalent to the MD5 checksum of the file's content. This is not a valid assumption. The ETag will only be the MD5 of the object data when the object is stored as plaintext or encrypted using SSE-S3. If the object is encrypted using another method (such as SSE-C or SSE-KMS) the ETag is not the MD5 of the object data. If the object was created via a multipart upload, the ETag is not the MD5 of the object data.

---

Attachments

• Screen Shot 2018-06-25 at 11.25.58 AM.png (101.2 KiB)
• Screen Shot 2018-06-25 at 11.26.54 AM.png (26.0 KiB)
• Screen Shot 2018-06-25 at 11.27.23 AM.png (16.8 KiB)

[cyberduck]

@dkocher commented

What makes you think that we make this false assumption?

[cyberduck]

48ab3a7 commented

See the attached screenshots. Cyberduck displays a warning saying there is a mismatch. I also calculate the MD5 of the file via the command line and am attaching a screenshot of the ETag shown in the S3 console.

[cyberduck]

@dkocher commented

In 75c0595. Revised fix in 3727bd2 retaining checksum check for files not encrypted with SSE-KMS. For multipart uploads we will fail parsing the ETag as it has a suffix appended to the MD5.

[cyberduck]

@dkocher commented

Milestone renamed