7.0, and a little further down it says 17-build74.

Either up to date or out of date, it's apparently in a good way!

Unsure if this is related or not. Im slightly illiterate on the tech aspects of all of this, but here I sit with our tech working out the bugs with my system.

Im still running on an NEC IMB IMS1000. I too got the cert validity error but none of the deluxe fixes worked. Turns out my clock had been reset back to Dec 30th 2012!! Has this popped up with anyone else?


The issue here is that Im on a closed system and it needs to be connected to the internet to hopefully get a connection to update the clock to the correct date/time, but it appears we're having IP address issues now.

Edit: Well, per a post made a year ago apparently I slipped by on updates......

James, did you get your server's certificate updated before the end of the year? If not, it may be toast. Pretty much all of the legacy Doremi servers had certificates that expired at the end of 2023. Dolby went out of their way to try and inform everyone of the procedures to update the servers in both software/firmware as well as extending the certificates

Yup, James, you missed the Doremi cert extension program. This is completely unrelated to the current Wonka/Deluxe cert issue.
The good thing is, you can still apply the 2024 security manager fix. Only at the end of 2025, your server is toast if you miss it. If it lasts till then, the IMS1000 is not accurately known to be the most robust device.

https://kb.dolby.com/CinemaKnowledge...cate-Extension

Thank you everyone.

We managed to get everything in order, including the 2025 extension to 2038. Luckily the firmware update also got the clock to reset to the correct time without having to get any additional files from NEC (who aren't available today).

Interesting that the Deluxe debacle happened at the same time as the Dolby expiry issue. I know I wasn't the only one and we were left confused thinking this must have been related somehow.

There should be a law that forbids to set technical time window expiration dates to year changes. They should all run from March 17 to March 16 or so...or any regular workday monday.

It appears that the industry has an understanding of exactly what this issue is. However, it may still have a long shadow.

For example, when I ingest DCPs into my own TMS system, I am getting, for example.. when ingesting other CPLs/DCPs
---
...
Error(s):
+ PKL_e9e11e39-acd3-45f2-8d15-be9ced8a8550.xml (AnyoneButYou_FTR_S_EN-XX-CCAP_OV_51-HI-VI_4K_SPE_20231208_DLX_SMPTE_OV)
+ Certificate 32846
. Certificate date validation.
Certificate is not valid at this time
. Certificate signature check.
Certificate signature check failure : certificate has expired​
...
---
NOTE: I push everything through Clairmeta, so others are free to also use Clairmeta themselves on their content.

This is a big issue and DCI is addressing it ASAP, as can be seen in the recent update to the DCI specification:

---
DCI Releases DCI Specification, DCSS Version 1.4.4
Approved for Distribution January 3, 2024

DCSS VERSION 1.4.4

DCSS Changelog since 1.4.3

- Permit playback of CPLs after the signing certificate has expired
- Relax ingest and storage capacity requirements
​---

This gives us an idea of how the industry is going to handle it.
i.e. ignore the expiration dates on the certificate signing.

And that vendors will need to make sure this is compliant in upgrades coming thick and fast due to this.


James

Oh wow, that was quick

Short throw - PKL signer certs of DLX have expired as well. What is the expected ingest behaviour for DCPs with expired or non-valid PKL signer certs? I guess both for CPLs and PKLs, a hint/warning would be sufficient. One could argue wether the projection system operator should be bothered with these issues at all. They are no hints towards possible projection problems, unlike hashes, they don't indicate possible problems/show stoppers like file corruption. They should be a means to evaluate secondary issues, and as such would be reviewed by specially trained people only.

This is an info mail from //a major studio//:

Christie continue to have a software update solution available, sites with Christie devices experiencing issues should contact their integrators to install the patch.
GDC are actively testing a solution they have developed so we hope this will be available to cinemas and integrators very soon.
To my knowledge an update for Sony devices is not to be expected.
The “fix CPL” is not a long term solution, as time progresses more CPLs will emerge with an expired signer certificate, the best long term solution is a hardware/software upgrade at the cinemas.

If this is true it is not good news for those who run SONY:s
/M.E.​

So the super security is absolutely required and everything needs to be checked in every possible way and we'll shut ya down at any time for any issue no matter how significant.

Until it becomes inconvenient for the movie companies.

Now we can change in the security requirements.

Not that I disagree with this. It makes a lot of sense. It just seems hypocritical to me.

It seems to me that this change to the DCI specs is a necessary clarification of an unclear point. Both approaches used by the manufacturers were valid and legitimately passed the certification tests. Thankfully, it has been clarified that the more correct approach is to preserve the reproducibility of the content, given the effects of the more stringent version, with the understanding that the security of the content has not changed.

The draconian DCI security specifications have always been mostly hypocritical if you ask me.

When there was something like a theatrical window, you could say they still made some kind of sense, although many movies still leaked in high quality before their widespread home video and streaming releases.
Nowadays, theatrical windows are mostly a thing of the past, movies appear on streaming services day and date or just weeks or days after they appeared in cinemas.

But meanwhile, we're all required to maintain this security theater, that requires a massive administrative overhead and a bunch of hardware that's purposely built like a Rube Goldberg machine with many boobytraps inside a black box. Maintaining all this infrastructure costs millions around the globe, makes the entire exhibition industry locked-in on an ever-shrinking handful of vendors, only to maintain a system that now brings nothing but fake security and has a tendency to explode in all our faces, just like it just did... Pirates could watch all the latest movies, for free, at home, while many cinemas around the globe were out of business, because all they could project was a black screen...

The signer certs do not deal that much with 'security' anyway, not in the sense of content protection. Concept-wise, they make sense, but the specs were not clear about the cert time-frame for DCPs that go to storage, or about proper procedures for cert renewal. Software tools should warn about these well in advance.

Playback servers probably should have means to tell between non-existent, broken, or expired certs. An explicitly expired signer cert hardly means anything of relevance at the exhibition level.

Or any other legacy equipment that has been declared EOL/EOS by its OEM. The Dolby cat862 f****d up color glitch is another example: likely fixable with new firmware, but Dolby aren't going to do any (though to be fair to them, they did issue updates to fix the media block certificate expiration on otherwise no longer supported DolReMi devices, and at no charge). In this case, the result will likely be exhibitors with Sony equipment having to accelerate plans to replace it. In the short term that's good news for me as a vendor and integrator, but bad news for theaters and their customers, to whom the cost will eventually be passed.