-
Notifications
You must be signed in to change notification settings - Fork 0
Signature Notes and Highlights
WebbinRoot edited this page Mar 9, 2026
·
1 revision
Primary reference (authoritative signing basis):
The notes below call out notable OCISigner behaviors and implementation highlights relative to that signing model.
- Timestamp Behavior
- Standard Body-Header Signing
- Object Storage PUT Exceptions
- Signing Mode Notes
- Validation Behavior
- If both
dateandx-dateare present,x-dateis used in the signing string. - With Update timestamp enabled, OCISigner refreshes
date/x-datebefore signing.
For standard OCI signing behavior, PUT/POST requests include body headers in the signature set:
x-content-sha256content-typecontent-length
This includes empty-body PUT/POST requests where required headers are still part of signing behavior.
For these two Object Storage PUT APIs only, there is a smaller number of required signed headers that include request-target + host + date/x-date:
-
PutObject:/n/{namespace}/b/{bucket}/o/{object} -
UploadPart:/n/{namespace}/b/{bucket}/u/{uploadId}/id/{partNumber}
Additional headers normally required for PUT/POST requests are signed as present. For example:
- If
x-content-sha256is present, it is signed. - If
content-lengthis present, it is signed. - If both are present, both are signed.
- Standard (OCI SDK) follows SDK/provider behavior for the selected auth mode.
- Manual (custom) uses OCISigner manual-signing logic and allows custom signing behavior control.
- Test Credentials validates provider material and signing readiness.
- Most auth methods may probe namespace endpoint behavior where applicable.
- Instance Principal has a different validation path focused on federation token flow.