From 4429c7b875f02b53ea646762f8078c912b17dc57 Mon Sep 17 00:00:00 2001
From: "Matthew N. Heler" <matthew.heler@hotmail.com>
Date: Mon, 29 Sep 2025 15:37:32 -0500
Subject: [PATCH] rgw/s3: Always include x-amz-content-sha256 header in AWS v4
 signatures for S3 compatibility

Signed-off-by: Matthew N. Heler <matthew.heler@hotmail.com>
---
 src/rgw/rgw_rest_s3.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 3cff2110cab1..ab969dac29d6 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6368,7 +6368,11 @@ AWSSignerV4::prepare(const DoutPrefixProvider *dpp,
   if (opt_content) {
     content_hash = rgw::auth::s3::calc_v4_payload_hash(opt_content->to_str());
     extra_headers["x-amz-content-sha256"] = content_hash;
-
+  } else {
+    /* Some S3-compatible services require x-amz-content-sha256 header to always
+     * be present and included in the signature, even for unsigned payload.
+     * AWS S3 specification states that this header is required for all requests. */
+    extra_headers["x-amz-content-sha256"] = AWS4_UNSIGNED_PAYLOAD_HASH;
   }
 
   /* craft canonical headers */
-- 
2.47.3