KDM Problem (Empty String)

[kss]

We've been using DCP-o-matic to create KDMs without problem for a long time. But today we experienced a case where the venue said our KDM cannot be played (this is our first time hearing this).

I checked with Claude AI and it analyzed that the problem is because our KDM has the empty thumbprint 2jmj7l5rSw0yVb/vlWAYkK/YBwk= even though the server certificate file is correct.

And apparently, all the KDMs we created always contain this empty thumbprint according to Claude, but most other venues never reported any problem. But for today's venue, their server is a Dolby IMS2000 and Claude said this might be a problem, and that this might be a bug from DCP-o-matic that is causing this empty thumbprint.

Below is the full report I received from Claude. Has anyone encounter similar experience and whether this is true?


-------------------------------------------------------
# DCP-o-matic KDM Bug Report

## Problem
All KDMs generated contain an invalid certificate thumbprint: `2jmj7l5rSw0yVb/vlWAYkK/YBwk=`

This is the SHA-1 hash of an **empty string**, not the certificate:
```bash
$ echo -n "" | openssl sha1 -binary | base64
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
```

## Expected Behavior
The thumbprint should be the SHA-1 hash of the actual certificate. For example:
```bash
$ openssl x509 -in certificate.pem -outform DER | openssl sha1 -binary | base64
b3g4qqykTkgVQWly0vGfRXWcqWM= # Correct thumbprint
```

## Impact
- KDMs are rejected by DCI-compliant servers (particularly Dolby IMS2000/3000)
- Some older servers accept them anyway, which is why we didn't notice earlier
- Affects 100% of our KDMs across all certificates and venues

## What Works
- Certificate import and parsing
- Subject and issuer extraction
- Key encryption
- Digital signatures

## What's Broken
- Thumbprint calculation always returns empty string hash instead of actual certificate hash

## Reproduction
1. Import any certificate into DCP-o-matic
2. Generate KDM
3. Check `<CertificateThumbprint>` in the XML
4. Always shows `2jmj7l5rSw0yVb/vlWAYkK/YBwk=` regardless of certificate

## Version Info
- Latest DCP-o-matic version (just updated)
- Problem persists across multiple versions
- Tested with Dolby SMPTE and Interop certificates

[StephW999]

if this helps
https://files.isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf

[kss]

Thank you very much. Based on the document it seems that DCP-o-matic is not able to create a KDM for IMS2000 server? Since there will always be the "assume trust" thumbprint with DCP-o-matic.

And that if we need to create a KDM for IMS2000 server, we need to use another software instead...?

[carl]

You should be able to get what you want by adding a trusted device certificate to the "other trusted devices" list in the screen dialogue box, and then using the KDM type "modified multiple transitional 1" or "DCI specific".

I'm not 100% sure that DCP-o-matic's behaviour is right here. I'd be interested to hear how you get on if you try it. Do you have an example of a working IMS2000 KDM?

[Carsten]

The IMS2000 is a 'transition' type of device between the classic Doremi servers and the IMS3000. The software and feature set is more or less the same for all these servers. As such, I don't believe there is a difference in KDM handling between these servers.
Also, even if the problem was specific to the IMS2000, I think we would have heard about the issue before, because the IMS2000 is quite commonly used.

Are you able to request the software version that is running on that IMS2000? Although, I guess it has to be 2.8.52/6.2.1 due to a specific forced update procedure during the recent year.


Weird. Maybe something went wrong when setting up that screen in DCP-o-matic? Do you still have that IMS2000 serial number? You may delete and recreate it's screen database entry by downloading a current cert from Dolby.

[IoannisSyrogiannis]

Carsten has a really good point, here, noticing that the validity dates of the media block certificates have changed.
It makes sense to renew the certificates of all Doremi-turned-Dolby media blocks on any KDM issuing software.
It's a good thing that Dolby (unlikely companies like Barco, for instance) gives access to those certificates with no account necessary. So, one doesn't need to ask the venue for them.

The worst case scenario, the venue did not prolonged the certificates.

P.S. It's O.K. to get guidelines and pointers from AI, but try to rely less on what Claude says and how things stand according to Claude. Where there is no abundance of data, AI is improvising in order to please you. Where there is abundance of data, nuance is usually the first victim.