Horde support for SigV4 presigned urls for S3 storage backend

Hi,

We are setting up Horde with an S3 storage backend, but ran into some issues where our backend storage has a bug with SigV2 presigned urls. Testing with SigV4 presigned urls seem to not show the issue. It appears that Horde is using SigV2 for the presigned urls and I couldn’t find a setting or a way to force it to use SigV4.

Seeing that SigV2 is deprecated in favor of SigV4, is there a way to force Horde to use v4? If not, are there current plans to add SigV4 support?

Thanks!

[Attachment Removed]

Hello! Looking into the HordeServer.Storage source, I can see that we’re not explicitly passing in the signature version, and instead, we’re using the default provided by the AWS SDK.

From the comment on UseSignatureVersion4 in AWSConfigs.S3.cs, it looks as though v4 is set to true by default, except for us-east-1, which is likely for compatibility reasons.

Are your services running in us-east-1? If so, a quick fix to force SigV4 could be to explicitly set UseSignatureVersion4 in AwsObjectStore::CreateStore() before the client is created.

Let me know if this works out for you, or if you’re still seeing SigV2 presigned URLs.

Amazon.AWSConfigsS3.UseSignatureVersion4 = true;
IAmazonS3 client = awsOptions.CreateServiceClient<IAmazonS3>();

[Attachment Removed]

Hi!

Thanks for getting back to me. We are using an s3 storage on premises, so it is not configured to have any region. We also are trying to use Horde without modifying it if at all possible.

After digging through the Horde and AWS SDK code, I did find that setting an environment variable `AWS__AuthenticationRegion: ‘us-west-1’` or indeed any region other than us-east-1 seems to work and force SigV4.

This seems to be a decent workaround to the AWS SDK defaulting to us-east-1, and thus falling back to SigV2.

[Attachment Removed]