`Aws::CloudFront::Signer` SHA1 digest is not supported on Fedora Linux

[jdufresne]

Describe the bug

The Aws::CloudFront::Signer class always uses the digest algorithm "SHA1",

aws-sdk-ruby/gems/aws-sdk-cloudfront/lib/aws-sdk-cloudfront/signer.rb

Line 16 in 3919bcc

@cipher = OpenSSL::Digest.new('SHA1')

But this digest algorithm is unsupported since Fedora 41:

https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer

When using Aws::CloudFront::Signer on Fedora, it results in:

OpenSSL::PKey::PKeyError (EVP_DigestSignInit: invalid digest):

Changing the digest to SHA256 works for me, either by patching the aws-sdk-cloudfront gem or by overriding the class.

 @cipher = OpenSSL::Digest.new('SHA256')

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Aws::CloudFront::Signer is compatible with a default Fedora installation without any monkey patching.

Current Behavior

Results in the error:

OpenSSL::PKey::PKeyError (EVP_DigestSignInit: invalid digest):

Reproduction Steps

Using Fedora Linux:

require 'aws-sdk-cloudfront'

signer = Aws::CloudFront::UrlSigner.new(key_pair_id: 'MY_KEY_PAIR_ID', private_key_path: '/home/jon/private.pem')
signed_url = signer.signed_url('https://mydistribution.cloudfront.net/myvideo.mp4', expires: Time.now.to_i + 3600)
puts signed_url

.../vendor/bundle/ruby/3.4.0/gems/aws-sdk-cloudfront-1.132.0/lib/aws-sdk-cloudfront/signer.rb:98:in 'OpenSSL::PKey::PKey#sign': EVP_DigestSignInit: invalid digest (OpenSSL::PKey::PKeyError)
	from .../vendor/bundle/ruby/3.4.0/gems/aws-sdk-cloudfront-1.132.0/lib/aws-sdk-cloudfront/signer.rb:98:in 'Aws::CloudFront::Signer#sign_policy'
	from .../vendor/bundle/ruby/3.4.0/gems/aws-sdk-cloudfront-1.132.0/lib/aws-sdk-cloudfront/signer.rb:91:in 'Aws::CloudFront::Signer#signature'
	from .../vendor/bundle/ruby/3.4.0/gems/aws-sdk-cloudfront-1.132.0/lib/aws-sdk-cloudfront/url_signer.rb:30:in 'Aws::CloudFront::UrlSigner#signed_url'
	from test.rb:4:in '<main>'

Possible Solution

require 'aws-sdk-cloudfront'

class MyUrlSigner < Aws::CloudFront::UrlSigner
  def initialize(...)
    super
    @cipher = OpenSSL::Digest.new('SHA256')
  end
end

signer = MyUrlSigner.new(key_pair_id: 'MY_KEY_PAIR_ID', private_key_path: '/home/jon/private.pem')
signed_url = signer.signed_url('https://mydistribution.cloudfront.net/myvideo.mp4', expires: Time.now.to_i + 3600)
puts signed_url

Additional Information/Context

No response

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-cloudfront

Environment details (Version of Ruby, OS environment)

Fedora Linux, ruby 3.4.7 (2025-10-08 revision 7a5688e2a2) +PRISM [x86_64-linux]

[jterapin]

Hi! Thanks for submitting this issue. I found a similar ticket that was reported for AWS SDK for PHP in May 2025: aws/aws-sdk-php#3116

It's interesting that SHA256 appears to work with CloudFront despite not being documented as supported. Please continue using the monkey patch for now. I'll need to verify with the service team on this and will follow up here.