# 403 禁止：我们计算的请求签名与您提供的签名不匹配。请检查您的密钥和签名方法。

- **ID:** `api/invalid-signed-url-expiration`
- **领域:** api
- **类别:** auth_error
- **错误码:** `SignatureDoesNotMatch`
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

签名URL过期或密钥不匹配，因时钟偏差或签名算法错误导致。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS S3 SDK v1.12.0 | active | — | — |
| Google Cloud Storage XML API v1 | active | — | — |
| Azure Blob Storage REST API 2021-12-02 | active | — | — |

## 解决方案

1. ```
   Synchronize system clocks using NTP (e.g., run 'ntpdate pool.ntp.org' or enable NTP service) and regenerate the signed URL within the expiration window.
   ```
2. ```
   If using AWS S3 signed URLs, verify the signing region and service: ensure 'X-Amz-Algorithm' is 'AWS4-HMAC-SHA256' and the credential scope matches the bucket region. Example: aws s3 presign s3://mybucket/file --expires-in 3600 --region us-east-1
   ```
3. ```
   Implement retry logic with clock drift compensation: subtract 30 seconds from current time when generating the signature to account for minor skew.
   ```

## 无效尝试

- **** — Regenerating the same URL with same parameters but ignoring clock skew between servers (e.g., more than 5 minutes drift) will still fail. (65% 失败率)
- **** — Switching to a different signing algorithm (e.g., from HMAC-SHA256 to HMAC-SHA1) without updating both client and server causes mismatch. (55% 失败率)
- **** — Copying the signed URL to a different environment (e.g., from staging to production) where the secret key differs will always fail. (75% 失败率)