DKDM validity period – why was this function removed, and can it be reintroduced?

[MFilmer]

Hi all,

I recently ran into a serious issue with DKDMs generated in DCP-o-matic.
In older versions, there used to be fields in the DKDM dialog where you could set the valid from and valid until dates manually. This was extremely useful when working with facilities or archives that require the DKDM to expire exactly with the end date of their certificate.

In current versions this option seems to have been removed, and DCP-o-matic just sets a default window (usually creation date + 10 years). The problem:

- Some facilities insist that the DKDM must not exceed the validity of their certificate.

- Manually editing the XML afterwards is not an option, because the signature block covers the validity period and any change leads to a digest/signature error.

- This forced me into an awkward position with a client – technically the DKDM was correct, but their system rejected my manually “fixed” version.

I really don’t understand why this functionality was taken out. It makes DCP-o-matic less practical in real-world professional workflows. Having the ability to set the validity period directly in the GUI (as it was in older versions) would solve the problem completely.

Could this feature please be reintroduced?
It would make DCP-o-matic much more usable for anyone who regularly has to deliver DKDMs to post houses, archives or distributors with strict formal requirements.

[carl]

Right, I mistakenly thought this option was potentially damaging (because it may give the impression that you can "protect" a DKDM to only work for a limited time), but I didn't take into account the problems you mention.

There's a note in the tracker to re-add it: https://dcpomatic.com/bugs/view.php?id=3017

I'll get to it as soon as I can (hopefully this week).

Best,
Carl

[Carsten]

As a workaround - you can just create a regular KDM towards your own certificate. That will offer you the time period setting. Just create a screen with your certificate within the regular KDM dialog.

[IoannisSyrogiannis]

As a workaround - you can just create a regular KDM towards your own certificate. That will offer you the time period setting. Just create a screen with your certificate within the regular KDM dialog.

I wouldn't call that a workaround, but the normal function for time-limited (D)KDMs.
Given that a KDM and a DKDM is the same thing, if one wants to introduce a time frame, what better way than to do it from the KDM Creator GUI?

The matter of the signing certificate and the validity of both certificates is considerable, though.

[igit]

Maybe I could do something like easydcp does - a checkbox that automatically sets the key expiration date to the certificate's validity period?

Screenshot 2025-10-08 135721.png