What I am doing wrong is implemented ... I used hashing the policy string instead of signing it. The following code now gives me the correct result.
var crypto = require("crypto"); var fs = require("fs"); var expiry = new Date().getTime() + 3600; var key = 'the_target_file'; var bucketName = 'bucket_name'; var accessId = 'my_access_id'; var stringPolicy = "GET\n" + "\n" + "\n" + expiry + "\n" + '/' + bucketName + '/' + key; var base64Policy = Buffer(stringPolicy, "utf-8").toString("base64"); var privateKey = fs.readFileSync("gcs.pem","utf8"); var signature = encodeURIComponent(crypto.createSign('sha256').update(stringPolicy).sign(privateKey,"base64")); var signedUrl = "https://" + bucketName + ".commondatastorage.googleapis.com/" + key +"?GoogleAccessId=" + accessId + "&Expires=" + expiry + "&Signature=" + signature; console.log(signedUrl);
For completeness ... here is a PHP version that does the same thing that I used to check my results
$expiry = time() + 3600; $key = 'the_target_file'; $bucketName = 'bucket_name'; $accessId = 'my_access_id'; $stringPolicy = "GET\n\n\n".$expiry."\n/".$bucketName."/".$key; $fp = fopen('gcs.pem', 'r'); $priv_key = fread($fp, 8192); fclose($fp); $pkeyid = openssl_get_privatekey($priv_key,"password"); if (openssl_sign( $stringPolicy, $signature, $pkeyid, 'sha256' )) { $signature = urlencode( base64_encode( $signature ) ); echo 'https://'.$bucketName.'.commondatastorage.googleapis.com/'. $key.'?GoogleAccessId='.$accessId.'&Expires='.$expiry.'&Signature='.$signature; }