View Bug Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002174DCP-o-maticBugspublic2022-01-24 09:132023-09-01 21:51
Reportercarl Assigned Tocarl  
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version2.15.x 
Target Version2.16.1 
Summary0002174: player - invalid CPL signature - cannot play from Barco
Description

Software version 1.4.3.7
CPL says it was made with DoM 2.15.172

Service manual says "The play cannot start because one of the CPLs has an invalid signature."
This is distinct from a number of other similar errors:

  • signature of one CPL was generated with an invalid or non-compliant signer chain
  • one of the CPL digests used for the signature does not match
  • CPL not compliant with SMPTE 429-7
TagsNo tags attached.
Branch
Estimated weeks required
Estimated work requiredUndecided

Relationships

related to 0002181 closedcarl Failed to ingest because KDM is invalid 

Activities

carl

2022-01-27 16:10

administrator   ~0004830

Hash of CPL in the PKL checks out (after converting to Unix line endings).

carl

2022-02-03 13:17

administrator   ~0004838

Carsten sees this too.

Carsten

2022-02-03 17:09

manager   ~0004839

Here are the two encrypted DCPs, one created with 2.14.57, one with 2.15.171

https://www.dropbox.com/s/vswp0ds8yw3lysc/SMPTEEncrypted_TST-1_F-178_DE-XX_MOS_2K_20220203_SMPTE_OV.zip?dl=0

https://www.dropbox.com/s/9kfy1648yexzdcz/SMPTEEnc215171_TST-1_F-178_DE-XX_DE-NR_MOS_2K_20220203_SMPTE_OV.zip?dl=0

Will do another one with the latest test version later.

Carsten

2022-02-03 18:08

manager   ~0004840

Same problem with 2.16.0

Carsten

2022-02-03 18:09

manager   ~0004841

Bildschirmfoto 2022-02-03 um 18.56.09.png (115,162 bytes)   
Bildschirmfoto 2022-02-03 um 18.56.09.png (115,162 bytes)   

carl

2022-02-03 19:33

administrator   ~0004844

I guess the first thing might be to hack 2.15.x / 2.16.0 to remove <MainMarkers> and the CPL metadata to see if that helps.

carl

2022-02-04 07:28

administrator   ~0004845

Last edited: 2022-02-04 20:44

https://dcpomatic.com/forum/viewtopic.php?f=2&amp;t=1794

carl

2022-02-09 20:34

administrator   ~0004849

Carsten tracked this down to something different in the certificates that are made between 2.15.36 and 2.15.37.

carl

2022-02-09 20:41

administrator   ~0004850

Last edited: 2022-02-10 00:43

Two things happened here that might be important:

  • started using our own bundled openssl to make certs that start a week before now.
  • bumped the validity period to 40 years.

The 40 years thing takes end dates past 2050, at which point according to SMPTE 430-2-2006 we should use GENERALIZEDTIME rather than UTCTIME to store the validity dates. It looks like OpenSSL already does this correctly, but perhaps that is tripping up Barco's check?

Maybe something is wrong with the change to make certs start early.

Will make a version which backs off the validity period to 25 years.

Checked a random Fraunhofer cert and it is valid:
Not Before: Jun 21 09:26:05 2011 GMT
Not After : Jun 14 09:26:05 2036 GMT
i.e. just less than 25 years.

carl

2022-02-10 00:31

administrator   ~0004851

Last edited: 2022-02-10 20:51

Reducing DoM's cert validity length to 25 years fixes it on the Barco, but not on the Sony (one of the builds on 2174-cert-duration)

carl

2022-02-10 20:49

administrator   ~0004853

Last edited: 2022-02-13 18:12

Dropping back to 10 years works on the Sony (another build on2174-cert-duration) ...and yet 2.14.x uses 40-year certs and works fine (
-- later: 2.14.x does use 40-year certs but we were testing with 10-year certs made by a previous version.

carl

2022-02-10 20:50

administrator   ~0004854

Last edited: 2022-02-11 00:49

2174-no-shipped-openssl checks the other change (bundling openssl). Appears to make no difference.

carl

2022-02-10 20:52

administrator   ~0004855

On catalina

% openssl version
LibreSSL 2.8.3

carl

2022-02-10 21:36

administrator   ~0004856

Last edited: 2022-02-10 21:36

Can't see anything significant comparing certs created on Catalina from 2.14.57 and 2.15.37. Seems like it must be either something else in 2.15.37, or some other bug that happens to be exposed by using longer certificate validity.

carl

2022-02-13 18:11

administrator   ~0004860

Looks like in fact it is simply the 40 year validity that causes problems. 9bda3fda70912d73266a2dbac5470ca23d2ff6fd goes back to 10-year periods, and 3e6b2d886961177c8d89b3f9168393d33c13bff2 warns on startup if the signer certs have a long validity period.

carl

2022-02-13 18:13

administrator   ~0004861

Similar things are added to 2.14.58.

carl

2022-02-14 10:13

administrator   ~0004864

Tested and working in 2.14.59.

Bug History

Date Modified Username Field Change
2022-01-24 09:13 carl New Bug
2022-01-24 09:13 carl Assigned To => carl
2022-01-24 09:13 carl Status new => acknowledged
2022-01-24 09:14 carl Estimated work required => Undecided
2022-01-24 09:15 carl Description Updated
2022-01-26 22:43 carl Status acknowledged => feedback
2022-01-27 16:02 carl Reproducibility have not tried => unable to reproduce
2022-01-27 16:02 carl Status feedback => acknowledged
2022-01-27 16:10 carl Note Added: 0004830
2022-02-03 13:17 carl Priority normal => immediate
2022-02-03 13:17 carl Severity major => block
2022-02-03 13:17 carl Status acknowledged => confirmed
2022-02-03 13:17 carl Target Version => 2.16.x
2022-02-03 13:17 carl Note Added: 0004838
2022-02-03 13:17 carl Target Version 2.16.x => 2.16.1
2022-02-03 17:09 Carsten Note Added: 0004839
2022-02-03 18:08 Carsten Note Added: 0004840
2022-02-03 18:09 Carsten Note Added: 0004841
2022-02-03 18:09 Carsten File Added: Bildschirmfoto 2022-02-03 um 18.56.09.png
2022-02-03 19:33 carl Note Added: 0004844
2022-02-04 07:28 carl Note Added: 0004845
2022-02-04 20:44 carl Note Edited: 0004845
2022-02-04 21:18 carl Relationship added related to 0002181
2022-02-09 20:34 carl Note Added: 0004849
2022-02-09 20:41 carl Note Added: 0004850
2022-02-09 20:41 carl Note Edited: 0004850
2022-02-09 20:41 carl Note Edited: 0004850
2022-02-10 00:31 carl Note Added: 0004851
2022-02-10 00:43 carl Note Edited: 0004850
2022-02-10 20:49 carl Note Added: 0004853
2022-02-10 20:50 carl Note Added: 0004854
2022-02-10 20:51 carl Note Edited: 0004851
2022-02-10 20:51 carl Note Edited: 0004853
2022-02-10 20:52 carl Note Added: 0004855
2022-02-10 21:36 carl Note Added: 0004856
2022-02-10 21:36 carl Note Edited: 0004856
2022-02-11 00:49 carl Note Edited: 0004854
2022-02-11 19:43 carl Status confirmed => in progress
2022-02-11 19:43 carl Reproducibility unable to reproduce => always
2022-02-13 18:11 carl Note Added: 0004860
2022-02-13 18:12 carl Note Edited: 0004853
2022-02-13 18:13 carl Note Added: 0004861
2022-02-14 10:13 carl Status in progress => resolved
2022-02-14 10:13 carl Resolution open => fixed
2022-02-14 10:13 carl Note Added: 0004864
2023-09-01 21:51 carl Status resolved => closed