fix(blob): drop client-side x-amz-checksum-sha256 header on PUTs

MajorTal · claude · MajorTal · commit 4e1215b0c275 · 2026-04-20T17:28:17.000+02:00
S3 rejected the PUTs with 'headers not signed: x-amz-checksum-sha256' because the presigned URL (from the gateway) didn't include that header in its signed headers list. The gateway now signs URLs without ChecksumAlgorithm (see run402-private commit d1c0f774), so the client must NOT send the checksum header either.

Client-asserted sha256 (declared at POST /uploads) remains the integrity attestation — stored in the blob row and echoed back as x-run402-sha256 at download time. Immutable URLs still work end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cli/lib/blob.mjs b/cli/lib/blob.mjs
@@ -202,21 +202,28 @@ async function putOne(project, filePath, opts) {
   // this loop runs once.
   const etags = Array(initRes.part_count);
   for (const pn of Object.keys(state.parts_done || {})) {
-    etags[parseInt(pn, 10) - 1] = state.parts_done[pn];
+    const pd = state.parts_done[pn];
+    // Legacy resume state stored just the etag string; new code stores
+    // { etag, sha256 }. Normalize on load.
+    etags[parseInt(pn, 10) - 1] = typeof pd === "string" ? { etag: pd, sha256: undefined } : pd;
   }
 
+  // Presigned URLs are signed WITHOUT ChecksumAlgorithm (see gateway
+  // s3-presign.ts). The client-asserted sha256 declared at init is the
+  // integrity attestation — no x-amz-checksum-sha256 header on PUTs, and
+  // the gateway trusts the declared value at complete when S3 has none.
   const todo = initRes.parts.filter((p) => !(state.parts_done || {})[String(p.part_number)]);
   await withConcurrency(todo, opts.concurrency, async (part) => {
     const { etag } = await putPart(filePath, part);
-    etags[part.part_number - 1] = etag;
-    state.parts_done[String(part.part_number)] = etag;
+    etags[part.part_number - 1] = { etag };
+    state.parts_done[String(part.part_number)] = { etag };
     saveState(state);
     log(opts, { event: "part", upload_id: state.upload_id, part_number: part.part_number, etag });
   });
 
   // Complete
   const body = initRes.mode === "multipart"
-    ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e })) }
+    ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: e.etag })) }
     : {};
   const complete = await apiFetch(`${API}/storage/v1/uploads/${state.upload_id}/complete`, "POST", project, body);
   if (complete.status !== 200) die(`Complete failed: HTTP ${complete.status}: ${JSON.stringify(complete.body)}`);
@@ -242,7 +249,8 @@ async function putPart(filePath, part) {
 
   const res = await fetch(part.url, { method: "PUT", body });
   if (!res.ok) {
-    throw new Error(`Part ${part.part_number} PUT failed: ${res.status} ${res.statusText}`);
+    const errBody = await res.text().catch(() => "");
+    throw new Error(`Part ${part.part_number} PUT failed: ${res.status} ${res.statusText}${errBody ? " — " + errBody.slice(0, 200) : ""}`);
   }
   const etag = res.headers.get("etag") ?? "";
   return { etag };
diff --git a/src/tools/blob-put.ts b/src/tools/blob-put.ts
@@ -103,23 +103,29 @@ export async function handleBlobPut(args: Args): Promise<{ content: Array<{ type
     part_count: number;
   };
 
-  // 2. PUT each part (bytes direct to S3 — NOT through the gateway)
-  const etags: string[] = new Array(initBody.part_count);
+  // 2. PUT each part (bytes direct to S3 — NOT through the gateway).
+  //    Presigned URLs sign without ChecksumAlgorithm (see gateway
+  //    s3-presign.ts); the client-asserted sha256 is the integrity
+  //    attestation. No x-amz-checksum-sha256 header is sent.
+  const partEtags: Array<{ etag: string }> = new Array(initBody.part_count);
   for (const part of initBody.parts) {
     const partBuffer = await readPart(bodyBuffer, args.local_path, part.byte_start, part.byte_end);
     const putRes = await fetch(part.url, { method: "PUT", body: partBuffer as unknown as BodyInit });
     if (!putRes.ok) {
+      const errBody = await putRes.text().catch(() => "");
       return {
-        content: [{ type: "text", text: `Part ${part.part_number} PUT failed: ${putRes.status} ${putRes.statusText}` }],
+        content: [{ type: "text", text: `Part ${part.part_number} PUT failed: ${putRes.status} ${putRes.statusText}${errBody ? " — " + errBody.slice(0, 200) : ""}` }],
         isError: true,
       };
     }
-    etags[part.part_number - 1] = (putRes.headers.get("etag") ?? "").replace(/^"|"$/g, "");
+    partEtags[part.part_number - 1] = {
+      etag: (putRes.headers.get("etag") ?? "").replace(/^"|"$/g, ""),
+    };
   }
 
   // 3. Complete
   const completeBody = initBody.mode === "multipart"
-    ? { parts: etags.map((e, i) => ({ part_number: i + 1, etag: `"${e}"` })) }
+    ? { parts: partEtags.map((e, i) => ({ part_number: i + 1, etag: `"${e.etag}"` })) }
     : {};
   const complete = await apiRequest(`/storage/v1/uploads/${initBody.upload_id}/complete`, {
     method: "POST",
