Re: [DCP-o-matic] Error - invalid/unauthorized clip signature

Hi! I have been helping investigating this quite a bit. I think that one of two (or both) things are happening: 1) DoM self-signed certificate chain is created with a validity time stamp in the future. This could happen because either the system clock on the machine which DoM runs on, or the media block secure clock is out of sync. I don't know if there is anything we really can do about this, apart from telling people that it is important to have accurate clocks. Especially Dolby Cat745:s are notorious for drifting (usually into the future though). The Cat745 clock in this particular case has been verified as set accurately. Unfortunately I have so far been unable to verify if system time on the system which DoM was run to generate the content was set correctly. 2) uuid:s for DoM:s KDM:s are reused. Why I suspect that maybe DoM incorrectly re-uses KDM uuid:s is because the Cat745 log below referencing an ID from the KDM XML issued with the same id after this log entry Jun 9 06:39:34 (none) daemon.info decoder: *KDM ***CHECK*** started* Jun 9 06:39:34 (none) daemon.info decoder: Parsing KDM XML Jun 9 06:39:34 (none) daemon.info decoder: KDM XML parse statistics [w:0] - [e:0] - [f:0] Jun 9 06:39:34 (none) daemon.info decoder: De-serializing KDM Jun 9 06:39:34 (none) daemon.info decoder: Validating KDM id [ urn:uuid:4576cbc1-62ef-4d99-967b-5b79be35344d ] and CPL id [urn:uuid:74ba48d5-eead-4326-8450-586eb352dacb ] Jun 9 06:39:34 (none) daemon.info decoder: Validating KDM Certificate Chain Jun 9 06:39:34 (none) daemon.err decoder: Certificate verification failure: certificate is not yet valid sn: /O=dcpomatic.com/OU=dcpomatic.com/CN=.dcpomatic.smpte-430-2.ROOT/dnQualifier=29lUqc7kxOCh6TkpwD9eOM9JBsg= depth: 2 Jun 9 06:39:34 (none) daemon.info decoder: Destroying KDM [ urn:uuid:4576cbc1-62ef-4d99-967b-5b79be35344d ] Jun 9 06:39:34 (none) daemon.info decoder: KDM validation failed: [ X509 certificate verification failed ] #CertFormatError Jun 9 06:39:34 (none) daemon.info decoder: DEBUG: Check KDM completed [#CertFormatError] Excerpt from KDM 4576cbc1-62ef-4d99-967b-5b79be35344d XML: <IssueDate>2018-06-09T19:31:57+02:00</IssueDate> <Signer> <ds:X509IssuerName>dnQualifier=Q0ZlUge6zK2OCaGcPnyDlP2Uo28=,CN=.dcpomatic.smpte-430-2.INTERMEDIATE,OU=dcpomatic.com,O=dcpomatic.com</ds:X509IssuerName> <ds:X509SerialNumber>7</ds:X509SerialNumber> </Signer> <RequiredExtensions> <KDMRequiredExtensions xmlns="http://www.smpte-ra.org/schemas/430-1/2006/KDM"> <Recipient> <X509IssuerSerial> <ds:X509IssuerName>dnQualifier=xXoRSRkNkwROURqMrh3PRRPASfI=,CN=.DolbyDC-MFGCA-ARX-4,O=DC256.Cinea.Com,OU=DolbyMediaBlock</ds:X509IssuerName> <ds:X509SerialNumber>584</ds:X509SerialNumber> </X509IssuerSerial> (...) </Recipient> (...) <ContentKeysNotValidBefore>2018-06-09T14:11:00+02:00</ContentKeysNotValidBefore> <ContentKeysNotValidAfter>2018-12-16T19:13:00+02:00</ContentKeysNotValidAfter> Excerpt from "openssl x509 -text" fort cert #7 from above: Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O = dcpomatic.com, OU = dcpomatic.com, CN = .dcpomatic.smpte-430-2.INTERMEDIATE, dnQualifier = Q0ZlUge6zK2OCaGcPnyDlP2Uo28= Validity Not Before: Jun 9 14:47:26 2018 GMT Not After : Jun 4 14:47:26 2028 GMT Subject: O = dcpomatic.com, OU = dcpomatic.com, CN = CS.dcpomatic.smpte-430-2.LEAF, dnQualifier = "Z8+acwErJf+bgd/b+4fPD1Mxpac=" Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Best, Mattias On Mon, Jun 11, 2018 at 11:51 AM, Carl Hetherington via DCPomatic &lt;dcpomatic(a)carlh.net&gt; wrote: -- -mattias