"SignatureDoesNotMatch" issue on upload to Object Storage

I am developing an iOS client for Linode that uploads large files (> 1 GB) to Linode Object Storage.

The essential functionality is working fine for me - the app is able to obtain a presigned URL, and upload a file to the Object Storage bucket.

But I want to use the payload validation option (specification of an MD5 checksum) to increase reliability of the uploads. My understanding, by reading here (https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/s3-example-presigned-urls.html) - "Generate a Pre-Signed URL for an Amazon S3 PUT Operation with a Specific Payload", is that it's a matter of adding a "Content-MD5: base64_md5_checksum" header to the initial request for the presigned URL, and to the subsequent call to upload the content (file in my case).

But when I add the Content-MD5 header I only ever get back a "SignatureDoesNotMatch" response with a HTTP 403 - Forbidden error.

I am able to reproduce my issue using curl scripts, so here is an example:

I generate the base64 checksum for the file with this command:

openssl dgst -md5 -binary example_content.txt | base64
2cll7gQQLnqIfRPeJTDnIA==

Request the presigned URL:

curl --verbose -H "Content-Type: application/json" -H "Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==" -H "Authorization: Bearer XXX" -d '{ "method": "PUT", "content_type": "application/octet-stream", "name": "example_content.txt", "expires_in": 86400 }' https://api.linode.com/v4/object-storage/buckets/us-east-1/bucket_name/object-url

Then make the call to upload the file using the presigned URL:

curl --verbose -H "Content-Type: application/octet-stream" -H "Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==" -X PUT -T example_content.txt 'https://us-east-1.linodeobjects.com:443/bucket_name/example_content.txt?Signature=f7YMf9bQxYznqf2OLNgIuCx4BkM%3D&Expires=1613756067&AWSAccessKeyId=6DDC765NIE5I3A6P52QS'

Here's the relevant curl output:

• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server accepted to use http/1.1
• Server certificate:
• subject: CN=us-east-1.linodeobjects.com
• start date: Dec 16 15:44:23 2020 GMT
• expire date: Mar 16 15:44:23 2021 GMT
• subjectAltName: host "us-east-1.linodeobjects.com" matched cert's "us-east-1.linodeobjects.com"
• issuer: C=US; O=Let's Encrypt; CN=R3
• SSL certificate verify ok.
  PUT /bucket_name/example_content.txt?Signature=f7YMf9bQxYznqf2OLNgIuCx4BkM%3D&Expires=1613756067&AWSAccessKeyId=6DDC765NIE5I3A6P52QS HTTP/1.1
  Host: us-east-1.linodeobjects.com
  User-Agent: curl/7.64.1
  Accept: /
  Content-Type: application/octet-stream
  Content-MD5: 2cll7gQQLnqIfRPeJTDnIA==
  Content-Length: 566855
  Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 403 Forbidden
< Date: Thu, 18 Feb 2021 17:40:12 GMT
< Content-Type: application/xml
< Content-Length: 200
< Connection: keep-alive
< x-amz-request-id: tx000000000000006c1bfb8-00602ea67c-1e5d58c-default
< Accept-Ranges: bytes

• HTTP error before end of send, stop sending
  <
• Closing connection 0
• TLSv1.2 (OUT), TLS alert, close notify (256):
  <error>SignatureDoesNotMatch<requestid>tx000000000000006c1bfb8-00602ea67c-1e5d58c-default</requestid><hostid>1e5d58c-default-default</hostid></error>

I looked here to see if any of the remedies and workarounds could work for me: https://www.linode.com/community/questions/21069/some-file-with-signaturedoesnotmatch, but none made a difference.

Please note the above curl calls work just fine to do the upload when I remove the "Content-MD5" headers.

I tried disabling the "Expect: 100-continue" header, as suggested by others, but that did not help.

Can you please help me figure out where I am going wrong?