{ "id": "api/invalid-signed-url-expiration", "signature": "403 Forbidden: The request signature we calculated does not match the signature you provided. Check your key and signing method.", "signature_zh": "403 禁止:我们计算的请求签名与您提供的签名不匹配。请检查您的密钥和签名方法。", "regex": "403.*signature.*does not match", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "Signed URL expiration or key mismatch due to clock skew or incorrect signing algorithm.", "root_cause_type": "generic", "root_cause_zh": "签名URL过期或密钥不匹配,因时钟偏差或签名算法错误导致。", "versions": [ { "version": "AWS S3 SDK v1.12.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Google Cloud Storage XML API v1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Azure Blob Storage REST API 2021-12-02", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Regenerating the same URL with same parameters but ignoring clock skew between servers (e.g., more than 5 minutes drift) will still fail.", "fail_rate": 0.65, "condition": "", "sources": [] }, { "action": "", "why_fails": "Switching to a different signing algorithm (e.g., from HMAC-SHA256 to HMAC-SHA1) without updating both client and server causes mismatch.", "fail_rate": 0.55, "condition": "", "sources": [] }, { "action": "", "why_fails": "Copying the signed URL to a different environment (e.g., from staging to production) where the secret key differs will always fail.", "fail_rate": 0.75, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.", "success_rate": 0.85, "how": "Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.", "condition": "", "sources": [] }, { "action": "If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1", "success_rate": 0.8, "how": "If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1", "condition": "", "sources": [] }, { "action": "Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew.", "success_rate": 0.75, "how": "Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.", "If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1", "Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html", "official_doc_section": null, "error_code": "SignatureDoesNotMatch", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.82, "resolvable": "partial", "first_seen": "2024-03-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }