On Mon, Jan 30, 2017 at 6:22 PM, Carl Hetherington <cth@carlh.net> wrote:
Hi Tom,
Thanks. It looks rather as if that DKDM has been created for different
certificates to the ones you sent. Have you only sent your Qube operator
one set? Where did the certificate files that you sent to me come from?
Best,
Carl
On Mon, 30 Jan 2017, Carl Hetherington via DCPomatic wrote:
> Hi Tom,
>
> Maybe you'd like to email me those certificates and the DKDM. They don't
> give away any secrets without the private key that is stored on your
> machine.
>
> All the best,
> Carl
>
> On Mon, 30 Jan 2017, Tom Haines wrote:
>
> > Yes to both
> >
> > SpectiCast
> > Tom Haines :: Executive Director of Digital Cinema Services
> >
> > 210 W Rittenhouse Sq, Ste 400 | Philadelphia, PA 19103, USA
> >
> > Office: 215-618-3874 | Mobile: 484-269-8227 | Skype: tom.haines41
> >
> > Facebook | Twitter | Google+ |Instagram | Tumblr
> >
> >
> > On Mon, Jan 30, 2017 at 5:03 PM, Carl Hetherington <cth@carlh.net> wrote:
> > Hi Tom,
> >
> > Are you importing the DCP on the same machine that you exported the
> > certificates from?
> >
> > And you are doing "Add KDM" from the right-click menu when you get this
> > error?
> >
> > Kind regards,
> > Carl
> >
> > On Mon, 30 Jan 2017, Tom Haines via DCPomatic wrote:
> >
> > > So, the Qube Master Pro operator was able to issue a DKDM, using an individual export of the Root, Intermediate, and Leaf.
> > >
> > > Unfortunately now, I am receiving the following error in DCP-o-Matic when I attempt to unlock the content.
> > >
> > > An exception occurred: Could not decrypt KDM (error:0407A079:rsa routines:RSA_padding_check_PKCS1_OAEP:oaep decoding error).
> > >
> > > Any thoughts on this?
> > >
> > > SpectiCast
> > > Tom Haines :: Executive Director of Digital Cinema Services
> > >
> > > 210 W Rittenhouse Sq, Ste 400 | Philadelphia, PA 19103, USA
> > >
> > > Office: 215-618-3874 | Mobile: 484-269-8227 | Skype: tom.haines41
> > >
> > > Facebook | Twitter | Google+ |Instagram | Tumblr
> > >
> > >
> > > On Thu, Jan 26, 2017 at 2:23 AM, GEORGE MAZARAKIS via DCPomatic <dcpomatic@carlh.net> wrote:
> > > If you send the cerificate chain they should be able to unchain it (
> > > using an utulity which comes with qube , or manually)
> > >
> > > and install the root and intermidiate certificates on windows using mmc.exe.
> > >
> > > Then they can create DKDM for DoM using the pem cerificate
> > >
> > > George
> > >
> > >
> > > On 26/1/2017 1:28 πμ, dcpomatic-request@carlh.net wrote:
> > > > Send DCPomatic mailing list submissions to
> > > > dcpomatic@carlh.net
> > > >
> > > > To subscribe or unsubscribe via the World Wide Web, visit
> > > > http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
> > > > or, via email, send a message with subject or body 'help' to
> > > > dcpomatic-request@carlh.net
> > > >
> > > > You can reach the person managing the list at
> > > > dcpomatic-owner@carlh.net
> > > >
> > > > When replying, please edit your Subject line so it is more specific
> > > > than "Re: Contents of DCPomatic digest..."
> > > >
> > > >
> > > > Today's Topics:
> > > >
> > > > 1. Re: Exporting a decryption certificate. (Carsten Kurz)
> > > > 2. Re: Exporting a decryption certificate. (Tom Haines)
> > > > 3. Re: Exporting a decryption certificate. (Carsten Kurz)
> > > > 4. Re: Exporting a decryption certificate. (Carsten Kurz)
> > > > 5. Re: Exporting a decryption certificate. (Tom Haines)
> > > >
> > > >
> > > > ------------------------------------------------------------ ----------
> > > >
> > > > Message: 1
> > > > Date: Wed, 25 Jan 2017 23:50:05 +0100
> > > > From: Carsten Kurz <audiovisual@t-online.de>
> > > > To: dcpomatic carlh net <DCPomatic@carlh.net>
> > > > Subject: Re: [DCP-o-matic] Exporting a decryption certificate.
> > > > Message-ID: <1BA06127-14B0-43EE-A89D-A5331B0A0513@t-online.de >
> > > > Content-Type: text/plain; charset=us-ascii
> > > >
> > > >
> > > > Am 25.01.2017 um 23:43 schrieb Tom Haines:
> > > >
> > > >> Other way around. They are mastering the DCP, and I need to decrypt it with DOM
> > > > Okay, in this case you would need to use 'Export DCP encryption chain'. And hope that Qube Master Pro accepts DOMs root certificate/chain.
> > > >
> > > > - Carsten
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ------------------------------
> > > >
> > > > Message: 2
> > > > Date: Wed, 25 Jan 2017 17:59:31 -0500
> > > > From: Tom Haines <thaines@specticast.com>
> > > > To: Carsten Kurz <audiovisual@t-online.de>
> > > > Cc: dcpomatic carlh net <DCPomatic@carlh.net>
> > > > Subject: Re: [DCP-o-matic] Exporting a decryption certificate.
> > > > Message-ID:
> > > > <CAAgw8C5kMZKk-JYj8gu7kDuOieBv2Nt1z4w11Dcjwsv >yRTpoqw@mail.gmail.com
> > > > Content-Type: text/plain; charset="utf-8"
> > > >
> > > > I can't find 'Export DCP encryption chain', but I did send him the result
> > > > from 'Export DCP decryption certificate' and that's what caused him this
> > > > error. Are they the same thing, or am I missing something?
> > > >
> > > > [image: SpectiCast] <http://www.specticast.com/> Tom Haines :: Executive
> > > > Director of Digital Cinema Services
> > > >
> > > > 210 W Rittenhouse Sq, Ste 400 | Philadelphia, PA 19103, USA
> > > >
> > > > Office: 215-618-3874 | Mobile: 484-269-8227 | Skype: tom.haines41
> > > >
> > > > Facebook <https://www.facebook.com/SpectiCastEntertainment > | Twitter
> > > > <https://twitter.com/Specticast > | Google+
> > > > <https://plus.google.com/u/0/b/104757180246475600072/ >104757180246475600072/posts
> > > > | Instagram <http://instagram.com/specticast > | Tumblr
> > > > <http://specticast.tumblr.com/>
> > > >
> > > > On Wed, Jan 25, 2017 at 5:50 PM, Carsten Kurz via DCPomatic <
> > > > dcpomatic@carlh.net> wrote:
> > > >
> > > >> Am 25.01.2017 um 23:43 schrieb Tom Haines:
> > > >>
> > > >>> Other way around. They are mastering the DCP, and I need to decrypt it
> > > >> with DOM
> > > >>
> > > >> Okay, in this case you would need to use 'Export DCP encryption chain'.
> > > >> And hope that Qube Master Pro accepts DOMs root certificate/chain.
> > > >>
> > > >> - Carsten
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> DCPomatic mailing list
> > > >> DCPomatic@carlh.net
> > > >> http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
> > > >>
> > > > -------------- next part --------------
> > > > An HTML attachment was scrubbed...
> > > > URL: <http://main.carlh.net/pipermail/dcpomatic/ >attachments/20170125/e9ec58e0/ attachment-0001.html
> > > >
> > > > ------------------------------
> > > >
> > > > Message: 3
> > > > Date: Thu, 26 Jan 2017 00:15:14 +0100
> > > > From: Carsten Kurz <audiovisual@t-online.de>
> > > > To: dcpomatic net carlh <DCPomatic@carlh.net>
> > > > Subject: Re: [DCP-o-matic] Exporting a decryption certificate.
> > > > Message-ID: <EF1E26B1-177A-47B8-9AF7-867A33A6A469@t-online.de >
> > > > Content-Type: text/plain; charset=us-ascii
> > > >
> > > >
> > > > Am 25.01.2017 um 23:59 schrieb Tom Haines:
> > > >
> > > >> I can't find 'Export DCP encryption chain', but I did send him the result from 'Export DCP decryption certificate' and that's what caused him
> > this
> > > error. Are they the same thing, or am I missing something?
> > > > Ooops.
> > > >
> > > > In my Preferences - Keys I have three options at the bottom of the dialog:
> > > >
> > > > Re_Make certificates and key
> > > > Export DCP decryption certificate...
> > > > Export DCP decryption chain...
> > > >
> > > > Ooops, it seems that button is indeed not there in 2.9... maybe upgrade to 2.10.2 or 2.10.6?
> > > >
> > > > 'Export Decryption certificate' will only export the leaf certificate of your DOM installation. Technically, the leaf is sufficient to create
> > > KDMs/DKDMs, but some software may require a full certificate chain, which is what the error message you posted seems to signal.
> > > > Qube Master Pro may have a setting to override that behaviour and be happy with the leaf only, but I am not familiar with that software.
> > > >
> > > > - Carsten
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ------------------------------
> > > >
> > > > Message: 4
> > > > Date: Thu, 26 Jan 2017 00:24:12 +0100
> > > > From: Carsten Kurz <audiovisual@t-online.de>
> > > > To: dcpomatic carlh net <DCPomatic@carlh.net>
> > > > Subject: Re: [DCP-o-matic] Exporting a decryption certificate.
> > > > Message-ID: <99FC8548-330F-4A47-A0A3-F7C7896B4EE9@t-online.de >
> > > > Content-Type: text/plain; charset=us-ascii
> > > >
> > > >
> > > > Am 25.01.2017 um 23:59 schrieb Tom Haines:
> > > >
> > > >> I can't find 'Export DCP encryption chain', but I did send him the result from 'Export DCP decryption certificate' and that's what caused him
> > this
> > > error. Are they the same thing, or am I missing something?
> > > > Carl - I could probably try this myself, but, assuming Tom want's to stay with 2.9 - can the decryption certificate chain also be generated by
> > > exporting the three individual Root/Intermediate/Leaf certificates in the upper part of the decryption certificate dialog segment, and simply
> > > concatenate them into a single file?
> > > >
> > > >
> > > > - Carsten
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ------------------------------
> > > >
> > > > Message: 5
> > > > Date: Wed, 25 Jan 2017 18:26:51 -0500
> > > > From: Tom Haines <thaines@specticast.com>
> > > > To: Carsten Kurz <audiovisual@t-online.de>
> > > > Cc: dcpomatic net carlh <DCPomatic@carlh.net>
> > > > Subject: Re: [DCP-o-matic] Exporting a decryption certificate.
> > > > Message-ID:
> > > > <CAAgw8C5yG0s=sPycBni1yS_nQai2diYG=Tt+sjFvpLjCge8Wvg@ mail.gmail.com >
> > > > Content-Type: text/plain; charset="utf-8"
> > > >
> > > > Wonderful. I upgraded to 2.10.2 and that option is now there. I exported
> > > > the full chain and sent it along. I'll report back if it works.
> > > >
> > > > [image: SpectiCast] <http://www.specticast.com/> Tom Haines :: Executive
> > > > Director of Digital Cinema Services
> > > >
> > > > 210 W Rittenhouse Sq, Ste 400 | Philadelphia, PA 19103, USA
> > > >
> > > > Office: 215-618-3874 | Mobile: 484-269-8227 | Skype: tom.haines41
> > > >
> > > > Facebook <https://www.facebook.com/SpectiCastEntertainment > | Twitter
> > > > <https://twitter.com/Specticast > | Google+
> > > > <https://plus.google.com/u/0/b/104757180246475600072/ >104757180246475600072/posts
> > > > | Instagram <http://instagram.com/specticast > | Tumblr
> > > > <http://specticast.tumblr.com/>
> > > >
> > > > On Wed, Jan 25, 2017 at 6:15 PM, Carsten Kurz via DCPomatic <
> > > > dcpomatic@carlh.net> wrote:
> > > >
> > > >> Am 25.01.2017 um 23:59 schrieb Tom Haines:
> > > >>
> > > >>> I can't find 'Export DCP encryption chain', but I did send him the
> > > >> result from 'Export DCP decryption certificate' and that's what caused him
> > > >> this error. Are they the same thing, or am I missing something?
> > > >>
> > > >> Ooops.
> > > >>
> > > >> In my Preferences - Keys I have three options at the bottom of the dialog:
> > > >>
> > > >> Re_Make certificates and key
> > > >> Export DCP decryption certificate...
> > > >> Export DCP decryption chain...
> > > >>
> > > >> Ooops, it seems that button is indeed not there in 2.9... maybe upgrade to
> > > >> 2.10.2 or 2.10.6?
> > > >>
> > > >> 'Export Decryption certificate' will only export the leaf certificate of
> > > >> your DOM installation. Technically, the leaf is sufficient to create
> > > >> KDMs/DKDMs, but some software may require a full certificate chain, which
> > > >> is what the error message you posted seems to signal.
> > > >> Qube Master Pro may have a setting to override that behaviour and be happy
> > > >> with the leaf only, but I am not familiar with that software.
> > > >>
> > > >> - Carsten
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> DCPomatic mailing list
> > > >> DCPomatic@carlh.net
> > > >> http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
> > > >>
> > > > -------------- next part --------------
> > > > An HTML attachment was scrubbed...
> > > > URL: <http://main.carlh.net/pipermail/dcpomatic/ >attachments/20170125/4ad2832a/ attachment.html
> > > >
> > > > ------------------------------
> > > >
> > > > Subject: Digest Footer
> > > >
> > > > _______________________________________________
> > > > DCPomatic mailing list
> > > > DCPomatic@carlh.net
> > > > http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
> > > >
> > > >
> > > > ------------------------------
> > > >
> > > > End of DCPomatic Digest, Vol 53, Issue 20
> > > > *****************************************
> > >
> > > _______________________________________________
> > > DCPomatic mailing list
> > > DCPomatic@carlh.net
> > > http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
> > >
> > >
> > >
> > >
> >
> >
> >
> >