From cbb71be598c40794422c9a93cc2a4f36d2f4acf9 Mon Sep 17 00:00:00 2001
From: wwang <me@wwang.tech>
Date: Mon, 16 Feb 2026 16:58:07 -0800
Subject: [PATCH] Send Content-MD5 header on S3 uploads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Set SendContentMd5: true in PutObjectOptions so that minio-go
includes a Content-MD5 header with every PutObject request.

AWS S3 requires this header when the target bucket has Object Lock
enabled; without it the upload is rejected with HTTP 400
(InvalidRequest).  The overhead is negligible — one MD5 hash per
upload — and the header also serves as a server-side integrity
check for all uploads regardless of Object Lock.

Fixes #727
---
 internal/storage/s3/s3.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/internal/storage/s3/s3.go b/internal/storage/s3/s3.go
index 923ca8aa..0ec2cdb0 100644
--- a/internal/storage/s3/s3.go
+++ b/internal/storage/s3/s3.go
@@ -105,8 +105,9 @@ func (v *s3Storage) Name() string {
 func (b *s3Storage) Copy(file string) error {
 	_, name := path.Split(file)
 	putObjectOptions := minio.PutObjectOptions{
-		ContentType:  "application/tar+gzip",
-		StorageClass: b.storageClass,
+		ContentType:    "application/tar+gzip",
+		StorageClass:   b.storageClass,
+		SendContentMd5: true,
 	}
 
 	if b.partSize > 0 {