This isn't really a bug given that Google App Engine only supports python 2.5, so I suspect the code was never intended to run on later versions. However, for anyone porting the code to other platforms or testing the code locally, this issue may be relevent.
Basically the problem is that the python HMAC code throws an exception when calculating the signature for authenticated content distribution. The fix that seemed to work for me was to convert the HMAC secret (which is of type db.Text) into a regular python string. Basically changing line 622 in main.py from this: return hmac.new(secret, data, hashlib.sha1).hexdigest() to this: return hmac.new(str(secret), data, hashlib.sha1).hexdigest() I don't know that much about python, but my understanding is that this issue could be the result of an optimisation applied to the HMAC code between python 2.5 and 2.6 (see issue 1618455 - http://bugs.python.org/issue1618455). Anyway, I just thought I'd share this info here in case anyone else ran into the same problem.
