Invalid CPL signature on Barco

Anything and everything to do with DCP-o-matic.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: Invalid CPL signature on Barco

Post by carl »

Hmm. Are we sure this is a KDM or DCP problem? I could create a DKDM and try to cross KDM and DCP between 2.14.57 and 2.16?
I don't think much is certain. The error messages from these servers can be pretty misleading.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

I set up another machine at the cinema, I have one windows machine running 2.14.57 and another one 2.16.0. I added all server and computer certs and am now able to create KDMs on and between these machines. Didn't have much more time today than to set it up and create the databases. What works is to create a DKDM in 2.14.57 towards 2.16.0 on the second machine. I can play the encrypted DCP that works on both the Sony and the Barco (created with 2.14.57) in Player 2.16.0. BUT: When I use this DKDM in KDM Creator 2.16 to create a KDM for this same DCP towards our Sony - that KDM fails with the same error on the Sony as the KDM created immediately from 2.16 on my Mac.

Here's a link to these KDMs. One created with 2.14.57(win) immediately from within the 2.14.57 project for the Sony, the other one created using a 2.14.57 DKDM in 2.16.0(win) for the same Sony cert. The one created with 2.14.57 works, the one created through the DKDM with 2.16.0 fails to ingest ('invalid'). More tests tomorrow.

https://www.dropbox.com/sh/i5bn773sm87x ... Ca5La?dl=0

Looks as if something about KDM creation in 2.15.x/2.16 is broken.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: Invalid CPL signature on Barco

Post by carl »

Nice find! I'm just looking at the KDMs now. One thing that is different (which really shouldn't matter) is 2.16.0 has the option to disable the forensic marking in the KDM - so by default the 2.16.0 KDMs will have no <ForensicMarkFlagList>. It's supposed to be optional, but ...!

If you have the time you could try making a new KDM after clicking the "Advanced" button next to the KDM type and un-ticking "Forensically mark video" and "Forensically mark audio".

I'll see if I can spot any more differences.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

I already was in that dialog before I created the KDMs, but I found 'Watermark video, and audio up to ch 12' a useful setting. I will still try with them disabled, of course.


Another thing I just tried: I transferred the full project done with 2.14.57 (which played successfully) to the other machine running 2.16. So I was able to load it into DCP-o-matic 2.16.0. 'Make KDMs...' found the CPL/raw encryption key in the project metadata file, and offered to create KDMs for it. I did that in one go (selected all three targets) for both Sony, Barco AND the machine running 2.14.57 (on which the project was created initially).
Now, both the Sony AND the Barco rejected that KDM - but Player 2.14.57 decrypted and played the DCP successfully with the KDM created by 2.16.0

???

Will now try with forensic marking disabled.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: Invalid CPL signature on Barco

Post by carl »

Will now try with forensic marking disabled.
Great - if that doesn't help it might be interesting to try:
  • clear out prefs completely
  • run 2.14.x so that it creates the signing certificates etc.
  • make an encrypted DCP, a DKDM for DCP-o-matic and a KDM for the projector
  • start 2.16.0 KDM creator, load that DKDM and make a new KDM for the projector
I assume the 2.14.x projector KDM would work but the 2.16.0 one would not. At point they should be even easier to compare, and it would eliminate some mistake in how 2.16.0 is creating certificate chains.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

Alright, you mean, Starting 2.14.57 with a fresh config, create DCP, KDM and DKDM, then 'migrate' to 2.16 from this config, and again create a DKDM with 2.16...

I assume, when I start 2.16.0 after 2.14.57 has setup the config, 2.16.0 will copy/update this config to it's 2.16 prefs folder? That should have happened on my Mac, already during my first try, but, I can still try it again with another fresh set. Will also try 2.15.30 later, all from fresh prefs.


But for now (and still interesting), I created new KDMs in DCP-o-matic main 2.16 using the existing 2.14.57 project (as before - didn't even save it in 2.16, it's still in it's '2.14.57' format). I disabled forensic marking, and then created ALL KDM dialects, again for the Sony, Barco, and that other machine running 2.14.57.
Now, NONE of these dialects (all with forensic marking disabled) worked on either the Sony or the Barco (all ingested fine on the Barco, but wouldn't play, all were rejected as invalid by the Sony).
BUT - all KDM dialects worked in Player 2.14.57 - with the exception of the Modified Transitional 1 without Device Authentication - which is actually what the player complained about properly:

Bildschirmfoto 2022-02-05 um 23.13.44.png
You do not have the required permissions to view the files attached to this post.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: Invalid CPL signature on Barco

Post by carl »

Alright, you mean, Starting 2.14.57 with a fresh config, create DCP, KDM and DKDM, then 'migrate' to 2.16 from this config, and again create a DKDM with 2.16...
Yes, except create KDM for the projector with 2.16; if that doesn't work (as we might expect) the differences at that point between the 2.14.57 working and the 2.16.0 non-working should be quite minimal.
I assume, when I start 2.16.0 after 2.14.57 has setup the config, 2.16.0 will copy/update this config to it's 2.16 prefs folder? That should have happened on my Mac, already during my first try, but, I can still try it again with another fresh set. Will also try 2.15.30 later, all from fresh prefs.
Yes, that is what should have happened, but the last set of KDMs you sent on dropbox seem to be signed by different certificates, so something odd has happened there.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

Okay, I am a bit out of my head now going back and forth between systems and versions. What I can say for sure is: I just trashed prefs, started 2.15.30, created a new project, encrypted SMPTE DCP, imported my Sony and Barco Certs, and created KDMs. And THEY DO WORK on both the Sony and Barco. I will now migrate to 2.16.0, open that project, create a new KDM. Will then check and send you both KDMs AND config files.

- Carsten
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

Hmm. THAT IS WEIRD. The KDMs created from 2.15.30 and 2.16.0 on the Mac (loading the same project) now BOTH work on the Sony and Barco...
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Invalid CPL signature on Barco

Post by Carsten »

carl wrote: Sat Feb 05, 2022 10:27 pm
Yes, that is what should have happened, but the last set of KDMs you sent on dropbox seem to be signed by different certificates, so something odd has happened there.
Ah, sorry, now that I read it again - that is 'correct'. I thought you were first looking just at formal differences. The two KDMs created were from different machines with different prefs/certs.