Tweet
Steve, as I understand it different servers use different indexes in the DCP such as CPL, volume index, accet map and PKG files and such. Maybe not all are affected?
-
-
My guess is that the problem is due to a different choice of date used to verify the validity of the CPL by Dolby, Doremi and Barco on one side and by GDC, Sony and (probably) Christie on the other.Originally posted by Steve Guttag View Post
Those who project verify that the CPL had a valid certificate at the content creation date/time, those who do not project on the other hand verify validity at the verification date/time.
I'm sure that other users know better the subject than me and can correct my interpretation, but if I understand what the actual DCI specs require (9.4.3.5, point 4, letter c), the SM shall check the CPL according to SMPTE ST 430-5.
Section 5.2.1 of SMPTE ST 430-5 says that the CPL is valid if there is a match between all the hashes and if the digital signature and certificates are valid according to SMPTE ST 430-2.
SMPTE ST 430-2 indicates that certificates are validated by verifying them against a date, but it does not dictates which date (an informative note even describes that "in most cases the desired time is the current time, but a different time might be used to examine historical or future information")Comment
-
Elia, you deserve some sort of award or something. I saw your post with the screenshot
of the expired certificate several hours before DeLuxe & everyone else had it figured out!
It was because of your post that I started checking content at my own theater, and realized
we had a problem, since with the Sony systems, there was no advance warning or error
messages until you you actually came to the affected feature film clip in the playlist, and
only then would it freeze up, leaving just a dark screen in the auditorium.
Because I was able to alert management, it saved them a lot of headaches since a show
that doesn't run at all is better than a show that runs badly. So they were able to stop ticket
sales and cancel shows rather than have to kick cranky customers out of a dark auditorium,
Despite the patch fixes, I still had a problem with one show yesterday ("Burn It Down")
- - I wound up deleting it from everything, everywhere, all at once, and then re-ingesting it
and it's OK now. (Well it was OK when I tested it late last night. .. we'll see if it runs without
errors later today!)Comment
-
Originally posted by Jim Cassedy View Post
I checked the certificates for one of the ill-fated Wonka CPLs - one of the certs as we now know expired dec 31/2023 - but the cert chain uses more intermediate certs, and the next one in that chain expires dec 31/2024, and another one dec 31/2025, one more dec 31/2027. These further dates, of course, are not relevant, as the one expired dec 31/2023 causes the issue, and all further expirations won't add anything.
The new 'Cipher 2' certs all expire in 2036.
However, Deluxe is not the only mastering company, and we may have a bunch of time bombs sitting in our archives, all expiring at different dates. It's really the question wether Sony and GDC should better issue a software update that relaxes the cert checking. After all - there is still the KDM/encryption to protect the content, and the signing cert has a lower relevance.
However, where's the incentive for Sony to issue software updates now as they left the DCI market?
- CarstenLast edited by Carsten Kurz; 01-03-2024, 06:14 PM.Comment
-
More to the point, relaxing the cert checking compromises the entire DCP format, so would studios allow it? Would SMPTE?
I would presume there is some standard the manufacturers need to meet, or someone could just write code for an IMB with a user adjustable date that completely ignores all certs.
Sony needs to follow the support timeline they pledged to support their equipment for as there are definitely SLAs still in place.Comment
-
It is, alas, a bit more complicated. For example https://tools.chilkat.io/xmlDsigVerify (not affiliated, was merely the first to pop up) will - correctly - report the signature of, e.g.,Originally posted by Mete Tunca View Post's CPL as "verified". Which means the document is unchanged as signed - its integrity has been established. All affected CPL's should have signatures which would return "verified" with the usual XML Signature checking tools.Code:Wonka_FTR-3_S_DE-XX_DE_71_4K_WR_20231115_DLX_SMPTE_VF
The context of usage matters. Venue context is document integrity (the above) + whatever the playback systems choose to do wrt the related signer's certificates.
There are two free DCP checking tools which will give you details wrt signer certificate expiry status:- Ymagis' excellent ClairMeta (https://github.com/Ymagis/ClairMeta#readme)
- dcp_inspect (https://github.com/wolfgangw/backports#readme) (author here)
Comment
-
I noticed that the new certs Deluxe uses now have a validity window from April 2021 through April 2036.
So, I guess they had new certs since 2021, but did not use them for signing DCPs?
Hmm, interesting, I looked up some KDMs we received from Deluxe during the last year - they were using their new certificates for signing KDMs already - just not for signing DCPs/CPLs!
As Elia pointed out - the current set of SMPTE documents seem to be fuzzy about the required checks. That's strange given the high relevance DCI gave security matters. But it entirely explains why equipment behaves so differently.Last edited by Carsten Kurz; 01-04-2024, 06:43 AM.Comment
-
This is not a bug on Sonys side ;-) You can not force them to relax DCI compliance in their product based on an SLA.Originally posted by William Kucharski View PostComment
-
I never meant to imply it was, rather I was addressing other comments that implied Sony abandoned existing projectors in place.Originally posted by Carsten Kurz View Post
You are correct and in fact I wonder if work is ongoing to browbeat other vendors into tightening their certificate checking.Comment
-
Interesting, this is from Christie IMB-S2 firmware 1.8.11 release notes - it's from 9/2023, so, 'recent', but not released in the course of the recent events.
Bildschirmfoto 2024-01-04 um 16.20.22.pngLast edited by Carsten Kurz; 01-04-2024, 10:46 AM.Comment
-
Very interesting, info, Carsten. ( Although I don't think I'm not going to loose too
much sleep worrying about anything 68 years from now)
One thing I found both frustrating and amusing was that a lot of the reporting on
this issue posted on various blogs and news sites almost always referred to it as
"a Sony projector issue". Well, yes, it does seem to have mostly affected SONY
systems, but there was NOTHING wrong with the friggin' projector. They worked
just fine if you were playing interop or non encrypted content, or playing alternate
content through the HDMI inputs. It was also sometimes referred to as an "Alamo
Drafthouse issue". But A-D is really not at fault here. They just happen to have a
very large base of SONY equipped venues in the USA, so it hit them hardest.
I've been told for some time that our SONY TMS license expires later this year
and we will be junking it for another system. I know there are long term plans
to replace our SONY projectors too- - but I at this point I think that might also
be something that's at least 68 years away.Last edited by Jim Cassedy; 01-04-2024, 01:32 PM.Comment
-
Originally posted by Carsten Kurz View Post
Very interesting, Carsten.
Well, the thing is that someone might have noticed that 100% of Deluxe's content released over the past XX years was about to expire and someone took action, removing the check - which might be allowed by DCI? The timing is very suspicious indeed!
Comment
-
This is from GDC support:
Yes, you are right, certificate from Deluxe has expired on end of last month that was used to sign CPLs and caused this issue, its not server issue, as you said this was affected Christie and Sony servers too.
No idea about Dolby and ICMP behavior but our server check the CPL validation as per DCI, we are inline with the DCI standard.
/M.E.Comment
-
I just this minute finished doing a test screening of Migration-Mn_FTR-16-3D_S_EN-XX-CCAP_US-PG-INT-TD_51-HI-VI_2K_UP_20231017_DLX_SMPTE-3D_OV and it works exactly the same way as Aquaman2_FTR-2-3D-45fl_S_EN-XX-CCAP_OV_51-HI-VI-Dbox_2K_WR_20231202_DLX_SMPTE-3D_OV.
Both of these movies show on the Content-Summary page as "not playable" but show as unlocked and playable on the Playback-Edit screen.
And both 3d Aquaman and 3d Migration play all the way through, work as usual, and look just fine.
This is on a GDC SR1000.Comment
-
Can you post your SR1000 software version?Comment
Comment