Unfortunately, last I checked, the list of headers you're allowed to enforce for pre-signing does not include the hash.