Update:

I deleted all keys from the TMS, tried re-ingesting.

As you can see, two show as "Unknown". They seem to lack any ID for the screens (1 and 5) they are intended for.
Is there a way to fix this?

Capture3.jpg

As soon as you modify the keys in any way the checksum becomes invalid. So it's not possible to fix that yourself. The distributor will have to issue you properly designated keys.

I had a feeling that would be the case.
I wrote to Qubewire, they asked for details of the servers of the two houses affected. What details? I already sent IP addresses and model numbers.

You'll definitely have to give them the server serial numbers and you might have to send them the public key certificates for each server.

One can look at the content of the KDM to find unusual identification in them. At least the server serial is listed in them and should match your servers/media blocks. Definitely, Qubewire needs all your serial numbers or certificates right away. We recently played a Tamil movie and Qubewire sent us KDMs for both our servers, both worked. An hour later, they still requested details about our site to match screens and servers, audio configuration etc. in their data base. So somehow they had gotten our serials/certificates, but not a 'proper' site data sheet.

Jeez. Don't know how they got the data for four servers right, but missed two. Since as far as I know, this is the only thing from Qube we've ever got, where did they get these serial numbers from? And what is a "public key certificate" and how do I find it?
I'm taking a day off. Gurgitated Coda into one of the cinemas where it will work, I leave it to others to tweak the schedule so we don't have to cancel shows (it was quite a hit yesterday, being an out of left field winner).

Decrypting an encrypted DCP requires two decryption keys: one for the media block (the component within the SX-3000 or SR-1000 that actually does the decryption). The public key certificate enables the author of the KDM to obtain the correct decryption key for your media block.

In the case of GDC, you obtain those certificates by emailing cert [@] gdc-tech.com. Include the serial number of both units, the name and address of the theater, and a contact name, phone number, and email address. If you don't give them all of this information, they will ask you for it before sending you the certificates. The certificates themselves come in a small file with a .pem extension, which you then send to the distributor or KDM wrangling agency.

If you ever play arthouse or other non-mainstream DCPs, it's worth having those certificate files available. Deluxe can get hold of them without your help - all they need is the serial number. But smaller distributors sometimes can't, and will ask you directly for the certificate files.

I've always thought the public key should be readily available for download from the media block. Why go through all this process go get something that is public and non-secret?

Harold

You would have to have filled out a digital readiness form in the past and it would have your make model and serrial number of both the server and the projector.It is a good idea to have a electronic copy that you can provide a independent distributor along with the PEM file if you wish to play a large portion of the non mainstream content

I agree with Harold. Dolby makes their certs publicly available, and Barco ICMPs have a QR code on the faceplate, which, when scanned, causes your phone to download the file. I'm not a fan of the Barco method. Often, when I've asked for a certificate, the end user has not known how to email a file downloaded this way from their phone, and/or they're not at the theater at the time, resulting in a delay. But it's only GDC and NEC (for their badged IMS1000s and 2000s) that requires you to email them and ask them for it, as far as I'm aware. I don't know what arrangement Qube uses.

Qube had been collecting certs for a very long time. I remember that I registered our Sony with them probably 8 years ago. They then offered to collect certs in a structured database for their mastering and KDM online services. Which sounded attractive enough for me to give our serials away. Have never heard from them again, but now recently, I received KDMs from them without any prior communication. Don't know what would have happened if we had changed our media block in the meantime. Anyway, no big deal to send a serial or cert back to the email contact.


Harold - some servers make it unnecessary complex to download the certs, on some, it needs special user privileges.
Also, many sources offer a full range of certs and chains, the average user does not know how to handle this and find the right one. So, mostly the serial number is easier to handle. And hopefully, if the mediablock had been changed over time, the serial had been updated with the new data set.

It is usually no problem to verify KDMs against CPLs and server certs. Just that only a few people know the tools. Also, in general, the KDM business seems to run smoothly 99.9% of the time. Only when new parties enter the market, there may be short disruptions.

Fixed. We sent them serial numbers and they sent updated keys. No need for certifications.
I'll make a document of all our serials for the future.

For anyone who may come across this thread in the future when experiencing a possible mismatch between the key and the auditorium, the fasted way to see if the key was generated correctly is to compare the public key hash listed in the KDM file to the one for your equipment.

Open the KDM (you can open it in Notepad or drag it into an empty web browser tab) and do a text search for the "dnQualifier" tag. Compare the string listed there to the public key hash for your equipment. All but one of our screens have Dolby DSS servers so I couldn't tell you how to find it on other models, but for those it's listed under System/Theatre Devices/hardware (public key hash).

https://www.kdm-inspector.com

Will check all four components for a successful playout against each other: media block certificate, KDM, specific CPL, and KDM validity window. Again, 99.9% of the time, it is not necessary, but if there is a problem, one can check the reason quickly.