Cloudfront, signed urls and desync ?

[om26er]

Have anyone tried desync with cloudfront and that too with presigned urls ? OR to rephrase my question what is the recommended way to access caync chunks over S3, should that be an unprotected (no auth) url ?

[folbricht]

While I haven't used it with cloudfront, S3 auth is definitely supported. Take a look at https://github.com/folbricht/desync#s3-chunk-stores and https://github.com/folbricht/desync#example-config

[charles-dyfis-net]

Have anyone tried desync with cloudfront and that too with presigned urls ? OR to rephrase my question what is the recommended way to access caync chunks over S3, should that be an unprotected (no auth) url ?

To come at your question from a different perspective...

Because the chunks are content-addressed, there's no need for an additional signature: If they don't hash to the value in their filename, they'll be recognized as invalid.

Thus, it's only the index that needs to be signed, and one can reasonably choose to use a different distribution method (or add out-of-band signatures with existing solutions -- OpenPGP, Saltpack, etc) there.

[om26er]

I have found a solution. We can easily do that by using Cloudfront's custom policy https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html -- I have also validated that with desync and it works (with a small patch). see https://github.com/folbricht/desync/pull/229