Use HMAC-SHA256 for upload signature generation

vipulnsward · vipulnsward · commit c4da96e84d17 · 2026-02-09T20:29:55.000+05:30
diff --git a/lib/uploadcare/param/upload/signature_generator.rb b/lib/uploadcare/param/upload/signature_generator.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'digest'
+require 'openssl'
 
 # Signature generator for signed uploads.
 class Uploadcare::Param::Upload::SignatureGenerator
@@ -17,8 +17,7 @@ def self.call(config: Uploadcare.configuration)
     end
 
     expires_at = Time.now.to_i + lifetime
-    to_sign = secret_key + expires_at.to_s
-    signature = Digest::MD5.hexdigest(to_sign)
+    signature = OpenSSL::HMAC.hexdigest('sha256', secret_key, expires_at.to_s)
     { signature: signature, expire: expires_at }
   end
 end
diff --git a/spec/uploadcare/param/upload/signature_generator_spec.rb b/spec/uploadcare/param/upload/signature_generator_spec.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'digest'
+require 'openssl'
 
 RSpec.describe Uploadcare::Param::Upload::SignatureGenerator do
   it 'returns signature and expire' do
@@ -10,7 +10,7 @@
     result = described_class.call(config: config)
 
     expect(result[:expire]).to eq(1030)
-    expected_signature = Digest::MD5.hexdigest('secret1030')
+    expected_signature = OpenSSL::HMAC.hexdigest('sha256', 'secret', '1030')
     expect(result[:signature]).to eq(expected_signature)
   end
 
