From aee56279e4e830dc95def98b4d0f6595b5452208 Mon Sep 17 00:00:00 2001
From: tim-kos <tim.koschuetzki@transloadit.com>
Date: Tue, 28 Apr 2026 13:57:04 +0200
Subject: [PATCH 1/4] fix(signing): use sha384-prefixed signatures for list
 requests

---
 list_request_signature_test.go | 58 ++++++++++++++++++++++++++++++++++
 transloadit.go                 |  5 ++-
 2 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 list_request_signature_test.go

diff --git a/list_request_signature_test.go b/list_request_signature_test.go
new file mode 100644
index 0000000..f226591
--- /dev/null
+++ b/list_request_signature_test.go
@@ -0,0 +1,58 @@
+package transloadit
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/sha512"
+	"encoding/hex"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestListRequest_UsesSha384PrefixedSignature(t *testing.T) {
+	t.Parallel()
+
+	var capturedParams string
+	var capturedSignature string
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		query := r.URL.Query()
+		capturedParams = query.Get("params")
+		capturedSignature = query.Get("signature")
+
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = io.WriteString(w, `{"items":[],"count":0}`)
+	}))
+	defer server.Close()
+
+	client := NewClient(Config{
+		AuthKey:    "test-key",
+		AuthSecret: "test-secret",
+		Endpoint:   server.URL,
+	})
+
+	_, err := client.ListTemplates(context.Background(), &ListOptions{PageSize: 3})
+	if err != nil {
+		t.Fatalf("ListTemplates failed: %v", err)
+	}
+
+	if capturedParams == "" {
+		t.Fatal("params should not be empty")
+	}
+	if capturedSignature == "" {
+		t.Fatal("signature should not be empty")
+	}
+	if !strings.HasPrefix(capturedSignature, "sha384:") {
+		t.Fatalf("expected sha384-prefixed signature, got %q", capturedSignature)
+	}
+
+	mac := hmac.New(sha512.New384, []byte("test-secret"))
+	mac.Write([]byte(capturedParams))
+	expected := "sha384:" + hex.EncodeToString(mac.Sum(nil))
+	if capturedSignature != expected {
+		t.Fatalf("signature mismatch\nexpected: %s\nactual:   %s", expected, capturedSignature)
+	}
+}
diff --git a/transloadit.go b/transloadit.go
index 588e697..5e25700 100755
--- a/transloadit.go
+++ b/transloadit.go
@@ -4,7 +4,6 @@ package transloadit
 import (
 	"context"
 	"crypto/hmac"
-	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/hex"
@@ -213,11 +212,11 @@ func (client *Client) listRequest(ctx context.Context, path string, listOptions
 		return fmt.Errorf("unable to create signature: %s", err)
 	}
 
-	hash := hmac.New(sha1.New, []byte(client.config.AuthSecret))
+	hash := hmac.New(sha512.New384, []byte(client.config.AuthSecret))
 	hash.Write(b)
 
 	params := string(b)
-	signature := hex.EncodeToString(hash.Sum(nil))
+	signature := "sha384:" + hex.EncodeToString(hash.Sum(nil))
 
 	v := url.Values{}
 	v.Set("params", params)

From 29dd24f822d58c8a467d70773934caed9d27d52b Mon Sep 17 00:00:00 2001
From: tim-kos <tim.koschuetzki@transloadit.com>
Date: Tue, 28 Apr 2026 17:10:27 +0200
Subject: [PATCH 2/4] test(template-credentials): stop updating credential type
 in update flow

---
 template_credentials_test.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/template_credentials_test.go b/template_credentials_test.go
index 294ebb6..9b4764c 100644
--- a/template_credentials_test.go
+++ b/template_credentials_test.go
@@ -53,15 +53,17 @@ func TestTemplateCredentials(t *testing.T) {
 	if !found {
 		t.Errorf("Created TemplateCredential not found id=%s", id)
 	}
-	// Step 4 : Update the Template credential
+	// Step 4 : Update the Template credential.
+	// Keep the same type because the API does not allow changing credential type.
 	newTemplateCredentialPost := NewTemplateCredential()
 	newtemplateCredentialName := templateCredentialName + "updated"
 	newTemplateCredentialPost.Name = newtemplateCredentialName
-	newTemplateCredentialPost.Type = "backblaze"
+	newTemplateCredentialPost.Type = "s3"
 	newtemplateCredentialContent := map[string]interface{}{
-		"bucket":     "mybucket",
-		"app_key_id": "mykeyid",
-		"app_key":    "mykey",
+		"key":           "updated-key",
+		"secret":        "updated-secret",
+		"bucket":        "updated-bucket.example.com",
+		"bucket_region": "eu-central-1",
 	}
 	newTemplateCredentialPost.Content = newtemplateCredentialContent
 	err = client.UpdateTemplateCredential(ctx, id, newTemplateCredentialPost)

From 749230a4f233d5747d733e7a6f58e9f7f836913a Mon Sep 17 00:00:00 2001
From: tim-kos <tim.koschuetzki@transloadit.com>
Date: Tue, 28 Apr 2026 17:30:44 +0200
Subject: [PATCH 3/4] test(template-credentials): expect unchanged s3 type
 after update

---
 template_credentials_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template_credentials_test.go b/template_credentials_test.go
index 9b4764c..0d5985c 100644
--- a/template_credentials_test.go
+++ b/template_credentials_test.go
@@ -76,7 +76,7 @@ func TestTemplateCredentials(t *testing.T) {
 	if newTemplateCredential, err = client.GetTemplateCredential(ctx, id); err != nil {
 		t.Error(err)
 	}
-	checkTemplateCredential(t, newTemplateCredential, newtemplateCredentialName, newtemplateCredentialContent, "backblaze")
+	checkTemplateCredential(t, newTemplateCredential, newtemplateCredentialName, newtemplateCredentialContent, "s3")
 
 	// Step 6: Delete test templateCredential
 	if err := client.DeleteTemplateCredential(ctx, id); err != nil {

From 50979045163ce76f7b5b247f38910e22f096fccc Mon Sep 17 00:00:00 2001
From: tim-kos <tim.koschuetzki@transloadit.com>
Date: Tue, 28 Apr 2026 17:34:14 +0200
Subject: [PATCH 4/4] build(ci): run example builds via package pattern

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 184c7f7..6662a16 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 SHELL := /usr/bin/env bash
 
 test-examples:
-	cd ./examples && find . -type f | xargs -i sh -c "go build {} && go clean" \;
+	go build ./examples/...
 
 test-package:
 	go test -v -coverprofile=coverage.out -covermode=atomic .