signedUrl signature needs encodeURIComponent() not escape() to prevent
SignatureDoesNotMatch errors on signatures containing plus signs.