wouterdewinter/sign.php

## sign.php
<?php

/**
 * Sign a private asset url on cloudfront
 *
 * @param $resource full url of the resources
 * @param $timeout timeout in seconds
 * @return string signed url
 * @throws Exception
 */
function getSignedURL($resource, $timeout)
{
    // This is the id of the Cloudfront key pair you generated
    $keyPairId = "[key id obtained from step 1]";

    $expires = time() + $timeout; // Timeout in seconds
    $json = '{"Statement":[{"Resource":"'.$resource.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';

    // Read Cloudfront Private Key Pair, do not place it in the webroot!
    $fp = fopen("/app/data/private_key.pem", "r");
    $priv_key = fread($fp,8192);
    fclose($fp);

    // Create the private key
    $key = openssl_get_privatekey($priv_key);
    if (!$key) {
        throw new Exception('Loading private key failed');
    }

    // Sign the policy with the private key
    if (!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1)) {
        throw new Exception('Signing policy failed, '.openssl_error_string());
    }

    // Create url safe signed policy
    $base64_signed_policy = base64_encode($signed_policy);
    $signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

    // Construct the URL
    $url = $resource .  (strpos($resource, '?') === false ? '?' : '&') . 'Expires='.$expires.'&Signature=' . $signature . '&Key-Pair-Id=' . $keyPairId;

    return $url;
}

// Example usage
echo '<img src="' . getSignedURL("http://[your-distribution].cloudfront.net/your-asset.png", 60) . '" />';
	<?php

	/**
	* Sign a private asset url on cloudfront
	*
	* @param $resource full url of the resources
	* @param $timeout timeout in seconds
	* @return string signed url
	* @throws Exception
	*/
	function getSignedURL($resource, $timeout)
	{
	// This is the id of the Cloudfront key pair you generated
	$keyPairId = "[key id obtained from step 1]";

	$expires = time() + $timeout; // Timeout in seconds
	$json = '{"Statement":[{"Resource":"'.$resource.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';

	// Read Cloudfront Private Key Pair, do not place it in the webroot!
	$fp = fopen("/app/data/private_key.pem", "r");
	$priv_key = fread($fp,8192);
	fclose($fp);

	// Create the private key
	$key = openssl_get_privatekey($priv_key);
	if (!$key) {
	throw new Exception('Loading private key failed');
	}

	// Sign the policy with the private key
	if (!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1)) {
	throw new Exception('Signing policy failed, '.openssl_error_string());
	}

	// Create url safe signed policy
	$base64_signed_policy = base64_encode($signed_policy);
	$signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

	// Construct the URL
	$url = $resource . (strpos($resource, '?') === false ? '?' : '&') . 'Expires='.$expires.'&Signature=' . $signature . '&Key-Pair-Id=' . $keyPairId;

	return $url;
	}

	// Example usage
	echo '<img src="' . getSignedURL("http://[your-distribution].cloudfront.net/your-asset.png", 60) . '" />';