DCP-o-matic

So, a little background. I'm a filmmaker in Los Angeles who has just completed my first independent feature documentary film. I'm an editor for DreamWorks Animation, and Post Production Professional my entire career.

Since we have a top quality theatre, I wanted to test my DCP package in their theatre where I'm used to watching Hollywood releases. (We get DCP's of different films each week and it's a free perk to watch the latest releases on Wednesday nights.) I made an encrypted DCP on DOM. I transferred the film to my CRU EXT3 formatted drive using the doc and USB. I used the DCP Transfer software and it validated the Package Before Transfer and on the Drive. I was able to play the film back using the DOM Player with a generated KDM directly from EXT3 Cru drive on my Mac desktop. I had the projectionist send me an email with their certificate, generated a KDM, and emailed it to him last night. This morning, I handed off the drive which their system had no problem ingesting into the system.

However, the KDM gave him an error. He sent me a picture of the error. I attached it as 1.jpg I figured that I had made a mistake with my dates for the KDM creation, so I tunneled into my machine from work and created a new KDM I was certain was correct.

This KDM also didn't work and he took two pictures of what appears to be an identical failure. I'm attaching those images as 2.jpg and 3.jpg

When I got home tonight I took a look at my KDM's against the cpl and the certificate they provided me. I used https://www.kdm-inspector.com
and according to that website everything checked out. My DCP is a SMPTE package. The certificate used was dcp2000-292529.cert.sha256.pem. I used standard recommended settings in DOM to create the KDM.

I wanted to know if anyone had any feedback on what's causing the error. My next step was to use the DCPtools online KDM studio to create a KDM as an alternative. I won't be able to know until tomorrow around 2 pm Los Angeles time whether that KDM will unlock the Package for playback. I am attaching both KDM files for you guys to review.

If anyone has any thoughts on this it would be helpful... If I'm making a mistake in the KDM generation, it would be great if you could point me to where my error is.

From that error, there is something wrong with the validity periods of the signing certificate. First, backup your DCP-o-matic configuration. As it seems, this KDM has not been ingested, so it won't unlock the feature. How long is the KDM timeframe you set for your KDM?

Which version of DCP-o-matic are you using? After backing up your config, I would suggest you first check date and time of your system. Then recreate Signing certificates in prefs. Then try to issue another KDM.

- Carsten

I’m using the latest version of DCP-O-Matic for Mac OSX. I just downloaded for the first time like 2 weeks ago. My clock is set to Cupertino time and the date shows April 11, 2019. And when I did the KDM inspector is showed the validity period I entered.

Is there a way to set/check the date in the DCP-O-Marco preferences that I can force it to see itself on a particular date and time? Also how do I backup those files?

I set a week timeframe for the KDM initially from april 10-April 17. I subsequently expanded the time period in each end after the failure when I remade the KDM. It appears even though I tried to attach the KDM here they didn’t upload.

Would inspecting he KDM help you? When I did the KDM inspector it showed the validity period correctly April 10, 2019-April 17, 2019 and the time was 03:15 UTC-07:00 (or something similar)

I’m using the latest version of DOM for OSX. I downloaded and installed after April 1, 2019.

My system is set to Cupertino time and on my desktop it matches reality and represents the date as April 11, 2019. Is there another place on Mac to check the date config? Also, how do I backup my DOM config files? And what is the process for recreating signing certificates?

I'm attaching three keys. The first one is the first failure, the second 1 is the remake and still fails. Those two correlate to the images in my original post. The third key is what I had made by DCP Tools KDM studio online. In case anyone wants to inspect.

One more update. The KDM I created using DCPTools KDM studio just succeeded on the DreamWorks system. That is the key that starts as K_Rapid when you’re looking at the keys I uploaded on my previous post.

Thanks for all the information. I'm away from my computer for a couple of days but I'll take a look when I'm back.

It certainly looks like DCP-o-matic is failing to limit the KDM period to stay within the validity period of the signing certificates.

No problem and thank you. It’s not dire, especially since I was able to generate a functional key. I decided to submit all of this info for two reasons 1) my learning in case mr errors are the issue 2) in case the software has a bug and needs to be fixed.

Thank you all for your feedback and analysis.

I think your KDMs are all okay technically, but the signing cert fails to comply with the KDM validity period. I have no idea currently how this can happen.
Could you go to Preferences - Keys - Signing DCPs and KDMs/Advanced, then export Root/Intermediate/Leaf certs and upload them here? They are only used to sign KDMs, there is no risc if you publish them here.

If you run a current test version, there is also an option 'Export chain' - that will export all three certs at once, you can also upload the chain here.

Or send them to Carl by email.

You can also try to check your certs here: https://www.sslshopper.com/certificate-decoder.html

- Carsten

Yes I will follow up shortly with these things!