Skip to content

StreamSigner uses signingTime.UTC() #3105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 10, 2025
Merged

StreamSigner uses signingTime.UTC() #3105

merged 1 commit into from
Jun 10, 2025

Conversation

rb-kurrent
Copy link
Contributor

The workaround for the sdk consumer is easy (always apply .UTC() before passing signingTime), but this feels like an unnecessary footgun. It cost me a couple of hours, at least.

@rb-kurrent rb-kurrent requested a review from a team as a code owner June 4, 2025 04:16
@lucix-aws
Copy link
Contributor

Is the event stream signer broken in the context of using an actual AWS service (i.e. not using the signer directly)?

@lucix-aws lucix-aws added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 5, 2025
@rb-kurrent
Copy link
Contributor Author

Based on my own grep'ing around the code, it looks like all the cases where I see StreamSigner.GetSignature() called in the sdk, they're all using date := time.Now().UTC() to pick a signingTime, so I would guess the answer is "no".

@lucix-aws
Copy link
Contributor

lucix-aws commented Jun 5, 2025
edited
Loading

So what is the context you're using this in where not using UTC() is broken? More specifically, what concrete issue is this patch addressing?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 6, 2025
@rb-kurrent
Copy link
Contributor Author

rb-kurrent commented Jun 6, 2025
edited
Loading

I'm using the signing logic directly to write an S3 proxy, which uses a custom external authn / authz mechanism. The proxy is meant to be transparent to the s3 client in question, so the s3 client is configured with an endpoint pointed at the proxy and some fake credentials. When the proxy accepts a request, it forwards the request to s3 signed with its own aws credentials.

The reason the stream signing is important is that the proxy must not require buffering an entire blob upload (which might be huge) before signing and forwarding the request.

The failure observed is that if you use signingTime := time.Now() then the seed signature is valid but the chunk signatures will be off. The s3 API responds with what it thinks the string to sign is, and if you compare that to what the StreamSigner actually signed, you'll see that the dates can be off if utc time is on a different day of the month than you are at the moment. For me, that happens when I test my code late in the evening.

@lucix-aws
Copy link
Contributor

OK, so it's basically because the short date gets formatted wrong (compared to the full version that's used elsewhere in the signature which I guess the format string forces to be UTC).

I also see we're doing this in request-response sigv4 so this should be fine really.

@lucix-aws
Copy link
Contributor

codegen/integration tests fail in forks, those can be ignored

@rb-kurrent
Copy link
Contributor Author

Cool. I rebased my work onto main. Is there anything else I can do, or is the rest up to you?

@lucix-aws lucix-aws merged commit 4f82369 into aws:main Jun 10, 2025
11 of 13 checks passed
@rb-kurrent
Copy link
Contributor Author

thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucix-aws lucix-aws lucix-aws approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rb-kurrent @lucix-aws