| ▲ | mdavidn 4 days ago | |
I think you can presign PutObject calls that validate a particular SHA-256 checksum. An API endpoint, e.g. in a Lambda, can effectively enforce this rule. It unfortunately won’t work on multipart uploads except on individual parts. | ||
| ▲ | UltraSane 4 days ago | parent | next [-] | |
The hash of multipart uploads is simply the hash of all the part hashes. I've been able to replicate it. | ||
| ▲ | thayne 4 days ago | parent | prev | next [-] | |
But in order to do that you need to already know the contents of the file. I suppose you could have some API to request a signed url for a certain hash, but that starts getting complicated, especially if you need support for multi-part uploads, which you probably do. | ||
| ▲ | JoshTriplett 4 days ago | parent | prev [-] | |
Unfortunately, last I checked, the list of headers you're allowed to enforce for pre-signing does not include the hash. | ||