Compute every step of an AWS SigV4 signature — the canonical request, the string-to-sign, the four-stage HMAC key-derivation chain (kDate → kRegion → kService → kSigning), and the final HMAC — without sending anything anywhere. Works for Authorization-header signing and pre-signed S3 URLs. Useful for diagnosing SignatureDoesNotMatch errors against the AWS sample vectors.
host and x-amz-content-sha256 are auto-derived if omitted. x-amz-date is set from the timestamp below.
Format: METHOD\nURI\nQUERY\nCanonicalHeaders\n\nSignedHeaders\nHashedPayload. Headers are lowercased and sorted; the URI is percent-encoded twice for non-S3 services, once for S3.
Format: AWS4-HMAC-SHA256\nAmzDate\nCredentialScope\nSHA256(CanonicalRequest).
Each step is HMAC-SHA256(prev, next), starting from "AWS4" + SecretAccessKey. The final kSigning never leaves your browser.