Describe the feature
Amazon CloudFront announced support for SHA-256 signed URLs and signed cookies on April 1, 2026.
https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-cloudfront-sha-256-signed-urls
Currently, feature/cloudfront/sign hardcodes SHA-1 in signEncodedPolicy()
|
hash := sha1.New() |
|
if _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil { |
|
return nil, fmt.Errorf("failed to calculate signing hash, %s", err.Error()) |
|
} |
|
|
|
sig, err := signer.Sign(randReader, hash.Sum(nil), crypto.SHA1) |
The generated signed URLs also do not include the Hash-Algorithm query parameter.
According to the CloudFront documentation, SHA-256 signed URLs require:
- Hashing the policy with SHA-256 instead of SHA-1
- Appending
&Hash-Algorithm=SHA256 to the signed URL
Use Case
SHA-256 is cryptographically stronger than SHA-1. While CloudFront maintains backward compatibility with SHA-1, adopting SHA-256 aligns with security best practices. Some organizations have compliance requirements that mandate SHA-2 family algorithms.
Proposed Solution
Add an option to URLSigner and CookieSigner to specify the hash algorithm. For example:
// Option function approach
signer := sign.NewURLSigner(keyID, privKey, sign.WithHashAlgorithm(sign.SHA256))
// Or a new constructor
signer := sign.NewURLSignerSHA256(keyID, privKey)
Changes needed:
- In
signEncodedPolicy(): use crypto/sha256 and crypto.SHA256 when SHA-256 is selected
- In
buildSignedURL() / buildSignedCookie(): append Hash-Algorithm=SHA256 parameter
- Default to SHA-1 for backward compatibility
Other Information
Acknowledgements
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/feature/cloudfront/sign v1.9.21
Go version used
go1.26.1 darwin/arm64
Describe the feature
Amazon CloudFront announced support for SHA-256 signed URLs and signed cookies on April 1, 2026.
https://aws.amazon.com/about-aws/whats-new/2026/04/amazon-cloudfront-sha-256-signed-urls
Currently,
feature/cloudfront/signhardcodes SHA-1 insignEncodedPolicy()aws-sdk-go-v2/feature/cloudfront/sign/policy.go
Lines 202 to 207 in 790446e
The generated signed URLs also do not include the
Hash-Algorithmquery parameter.According to the CloudFront documentation, SHA-256 signed URLs require:
&Hash-Algorithm=SHA256to the signed URLUse Case
SHA-256 is cryptographically stronger than SHA-1. While CloudFront maintains backward compatibility with SHA-1, adopting SHA-256 aligns with security best practices. Some organizations have compliance requirements that mandate SHA-2 family algorithms.
Proposed Solution
Add an option to
URLSignerandCookieSignerto specify the hash algorithm. For example:Changes needed:
signEncodedPolicy(): usecrypto/sha256andcrypto.SHA256when SHA-256 is selectedbuildSignedURL()/buildSignedCookie(): appendHash-Algorithm=SHA256parameterOther Information
CookieSignerto usecrypto.Signer— this feature could build on that workAcknowledgements
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/feature/cloudfront/sign v1.9.21Go version used
go1.26.1 darwin/arm64