Could this have to do with our SONY SMPTE DCP validation/KDM issue?

You never know your luck... the reporter is hoping to test out the fix to see if Waimea stops complaining; if it works I'll put it into v2.12.0 I think.

Can you supply a short test SMPTE DCP with that test version?

I updated our Sony to 1.53.4 a while ago - that is ONE step behind the version that is said to fix the SMPTE validation issues for 'some DCPs'. If I update now to 1.54, we may never know what caused the issue. Don't know how far behind the typical Sony installation is. Most german users I know are on some 1.5x version, but not all are on 1.54. As Sony introduces not many feature updates, the incentive to update is rather small.

• Carsten

http://dcpomatic.com/downloads/dcp/Carsten_TST-1_F-133_20_2K_20180228_SMPTE_OV.zip

Got it, will check this evening.

• Carsten

Is that fix already in 2.11.68? I see some change on the Sony, but only for validation, not for verification.
I have to check with older versions, though...

• Carsten

Not in 2.11.68. I'm waiting on the Waimea check. Also it needs the signing certificates to be regenerated so it may need some UI to offer that when the program starts.

Reporter confirms that this change works (no longer trips Waimea check). This needs to be added to 2.12.x, probably with a prompt to re-make your certificates.

No way to recreate valid new certs automatically?

• Carsten

Probably... though in theory people might have imported certs that they want to keep. Fairly unlikely mind you. I think it could be automatic if you agree.

Alright, so the issue it is not the handling/storing/application of certs in general, but 'just' the creation of new certs?

Could DCP-o-matic detect self-generated certs and correct only those?

Maybe I am reading too much in this issue, I am just nervous that people may lose their certificate/encrypted DCP/KDM database, and maybe without knowing/understanding it?

• Carsten

Yes, it's the creation. It's possible that we can fix the problem without creating new certs. Agreed on the risks to encrypted content.

@carl asn1_parse2 shows how to do it; ASN1_get_object?

6d770c4c8c79569871edc20253f29f9ea00539e6 in master will offer to fix signer chains on startup if they are wrong. I'll leave decryption chains for now as I think they are much less critical: the only bad situation I can think of is some other software not liking a decryption cert when it's making a KDM...

Okay, so techwise, this would be an issue with both signing and encryption, and for now, the fix only targets signing certs?
That Waimea warning mentioned above trips a warning based on signer certificate, or encryption, or both? Maybe add a line to the text saying that encryption/KDMs of existing DCPs is not harmed by recreating the certs? Even if there was a string freeze towards 2.12, we should probably make this localizable?

Admittedly, those not understanding the term 'signing certificate' will hardly be able to make an educated decision there anyway? I just hate it when an app asks things many users are not able to understand ;-) Like Antivirus programs asking a user what to do with 'trojanxxx_.com'...

• Carsten