CloudFront uses RSA/PKCS-1.5/SHA1 algorithm for its signatures.
KMS, for signing, requires minimum SHA2.
That sounds like a serious gap (plus use of SHA1 is questionable all together)
Is there a way to make CloudFront accept signatures of a different algorithm, or have KMS sign SHA1 digests?