This affects only KDM and/or CPL XML files - these contain/refer to the expired signer certificate. They can be recreated quickly once a new valid cert has been issued. A new KDM can be ingested as a normal process, a new CPL can only be ingested as another VF. So, if the issue can be fixed with a new KDM, that's as simple as sending out new KDMs for all CPLs. If it's the CPL that is affected (may depend on specific server software), new VFs for all versions have to be created and distributed. These, however, do not need to contain any media assets and can be as small als KDMs and will ingest in no time. They can be sent with the new KDMs necessary anyway in the same email.

MPS just answered to me that new KDMs will be issued. Not sure if that actually means that KDMs alone will solve the issue.

Note that this issue does not exhibit a technical weakness of those affected servers - on the contrary, it means that these servers run fully functional DCI compliant software, while those servers not affected obviously run sloppy software! However, from the exhibitors view, it is of course a benefit to operate a server running sloppy software, at least with respect to security validation ;-)
Also, this issue only happens with SMPTE DCPs, not Interop DCPs.

Well, i'm running 35mm print of That's Entertainment right now in my Film-Tech Cinema Systems house for New Year!, digital bugs wont bother me!! HAPPY NEW YEAR TO ALL!

So is this issue certified as the actual cause?

I am surprised as certificate expirations don't typically occur exactly on a year boundary.

Also, wouldn't key manage systems typically fire a warning if you tried to generate a KDM that goes past the not-after dates assigned to a DKDM and certificate that signed the XML file?

What has to be fixed to avoid this from happening again?

We worked around these issues a while with DCP-o-matic - the trouble is, that many management systems seem to care only about playout/decryption validity or media block certificates, but don't care about signer certificates. We received one such bad KDM a while ago from a german KDM service company as well. After my hints to signer cert validity, they were able to find that as the reason and issue a new KDM. The error message given on the Sony is quite typical. And Barco fixed their 2049 issue on the ICMP a while ago. Of course, all management systems SHOULD check this well in advance, but looks as if they some simply missed that so far.

BTW - our Barco ICMP just finished ingesting WONKA and KDMs - it works there, so we are safe for today.

No sign of new KDMs from MPS yet.

There is another roadblock for universal keys:

A DCI compliant system is required to match the "Recipient Identifier" in the KDM to match the thumbprint of the targeted media block. The thumbprint is an SHA-1 hash of the public key of that media block.
I haven't read all of the SMTPE ST 430-2 specifications, but it seems there is no provision for wildcards in there, so every KDM needs to be specifically targeted towards a certain media block.
​

GDC SR1000 I saw rejected the signature of the OV CPL even when projecting the IT VF. I think that a new VF will not be playable, as it will make reference to the same old OV and a new full package will be required. For what I have seen, KDMs where always considered correct.

MPS is answering that way because (at least here in Italy) they are responsible only for KDM delivery, while it's Deluxe in charge for DCPs

Press coverage:

Alamo Drafthouse cancels movie showings due to projector glitch

Update: my customer just received a set of new VFs + KDM for Wonka

VFs never reference OV CPLs, only OV assets. The bad OV CPL may stay on the server, the new VF will still work. Only the CPL and KDMs are signed, not the assets.

Hi Elia,

Did it solve the problem?

Best,

And it actually still has color???

Yes! All my sites concerned are now working

I was discussing the issue with a colleague and giving a look at DCI specs (and SMPTE standards related). It is unclear whether the validity of the CPL signature should be verified by the SM on the date and time of projection or whether relative to the date of content creation. Both options seem to be accepted (and indeed both seem to have been employed by the various manufacturers).

Well Happy New Year, & good for you Elia! You must have good connections with Deluxe
and/or MPS, since I'm waiting for them (Deluxe) to issue 'the fix' and new KDMs here. Or
maybe they're doing it by 'time zone', since you and the USA East Coast are way ahead of
San Francisco on the clock, so it makes a bit of sense to fix the issue in order of who needs
it first. We've still got several hours to go here before the theater opens its' doors, if they do
decide to open today, but right now, we're still down.

I have received also a new Supp package, generated today + new KDM's and the GDC SR-1000 can play again the new Wonka version....

When we diagnosed signing cert validity bugs on the Sony and the Barco ICMP for DCP-o-matic cert creation rules, we noticed that both have no trouble with a non-valid CPL signing certificate, but with a non-valid KDM signing certificate. The signing cert validity of the KDM was seemingly checked only at play time, so, on the Sony, I was able to select a CPL and hit play - but then received an error message about an invalid KDM - although the GUI showed it okay in content listiing/Library. But I guess every server handles this in a different way and it probably also depends on the software version to a certain extent.