Fix GCS presigned URL signature for multipart part uploads#218
Merged
Conversation
GCS has two deviations from standard AWS S3 V2 signing for presigned URLs: 1. ':' in the object key is normalised to '%3A' in the canonical resource 2. ?partNumber=N&uploadId=X is NOT included in the canonical resource for presigned part PUTs (unlike the AWS S3 V2 spec) Both mismatches caused SignatureDoesNotMatch (403) on every part upload, making all multipart uploads fail. Validated directly against GCS before this fix by generating presigned part URLs and PUTting 5 MB parts. Also applies the ':' fix to PRESIGN_PUT for consistency. Add two e2e tests that check the presigned URL path contains '%3A' instead of raw ':', catching this class of bug in CI against cloudserver. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
matthiasL-scality
force-pushed
the
fix/gcs-presign-colon-encoding
branch
from
July 17, 2026 10:02
56ea6e3 to
57b1d01
Compare
|
LGTM |
GCS does not include ?partNumber=N&uploadId=X in the canonical resource when verifying presigned part PUT signatures (unlike standard AWS S3 V2). cloudserver and other AWS-compatible backends do include them. Detect GCS from ENDPOINT_URL and omit subresources only for GCS, keeping the standard behaviour for all other backends. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
LGTM |
This was referenced Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SignatureDoesNotMatch(403) on every part upload::in the object key is normalised to%3Ain the canonical resource?partNumber=N&uploadId=Xis not included in the canonical resource for presigned part PUTs (unlike the AWS S3 V2 spec)PRESIGN_PART; the:fix also applied toPRESIGN_PUTfor consistencyRoot cause
The existing CI runs against
zenko/cloudserverwhich does not normalise:or exclude subresources, so the bug was not caught there. Two new tests verify the presigned URL path encodes:as%3A, catching this class of bug in future CI runs.Test plan
test.yml— cloudserver)test-uploadworkflow inscality/action-artifactsagainst production after merging and deploying