Announcement

Collapse
No announcement yet.

"Signature verification", what is it?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Signature verification", what is it?

    This message has been popping up lately when ingesting DCPs from hard drives:
    "Signature verification of packing list failed. Do you want to continue?"

    What fresh hell is this? Let me guess, another layer of "security" - really, they don't trust us, do they?

    I usually just hit OK, and things ingest normally. Shrug. Until today. Now, with a drive we've used before without trouble, I get an "Exception" error every time. Can't ingest, and live play is a no-go.

    Is this related at all to this Signature jazz? Or what? Would be nice if the "exception" error would give me a list of possible causes. Not today! Cancelling shows and calling Deluxe for a replacement.
    You do not have permission to view this gallery.
    This gallery has 2 photos.

  • #2
    The only time I had an "exception" it was due to a bad hard drive.

    The signature verification thing is maybe related to the big encryption blow-up a month or two back. (This is just a guess on my part.)

    Comment


    • #3
      It does sound like a symptom you would get from the recent issue that popped up on NYE. But I have not heard of it in this context.
      There could be other issues. I remember seeing a few CPLs come out with badly formed pkl signatures that were out of date way before the major NYE hiccup. clairmeta found that issue and I reported them to the big entry in the game.

      Try clairmeta on it, may give you more context as to the problem.

      Those images are from a GDC, and I did read there are some upgrades now available to address signature issues. (See the ISDCF updated document on the topic)
      I would recommend going to that firmware and seeing what happens. (Yes, you may have to pay for an upgrade. But in this case, you should.)

      Comment


      • #4
        Just a guess... Somehow, the checksums didn't add up, somewhere? In other words, when the files were unpacked, after receiving them, the checksum didn't match the signature that was given by the sender. If that's true, supposition this is, the problem would most likely lie in either the network or your storage/hard drive devices.

        Comment


        • #5
          Digital signatures are used everywhere but generally where encryption is also present. You can digitally 'sign' anything and it does not have to be encrypted. Actually if people weren't frightened by how complicated it sounds this would actually save us from the deluge of spam and bring sanity back to our communications.

          That said if the signature fails that means that the payload has likely been modified from the original signed version or it is not from the correct source. Generally that happens by accidental corruption maybe during the download process. It doesn't mean that someone maliciously changed something. It could be anything legit or someone sold you a DCP that they don't really have the rights to. It could also mean that your disk is failing and part of the DCP couldn't be read accurately. Here this sounds like this might be the case.

          Over 50 years ago some smart people got interested in mathematical functions that are easy to do in one direction but impossible in the other. You could easily calculate something but not be able to un-calculate it to find the starting point. They found pairs of equations that let you go from A to B with one and then from B to A using the other. These equations involved coefficients that are now referred to as a "key pair" where you keep one member of the set very very private and make the other absolutely public. If you perform the calculation (encryption) with one member of the set (say the private key) then anyone with the public key can reverse the operation and get the original message/data. So fun stuff can happen like you can create a message and encrypt with my public key (that you have and generally easily can get). As I (should) be the only one with my private key only I can read your message and no one else!

          Signatures are the reverse. The source of the signature calculates a checksum. Really it is a digest these days and something like SHA256 which is one of any number of mashups that take every bit of the message into some screwy calculation that results in something like a 32 byte number (normal numbers are 4 bytes). This is a calculation that no body (hopefully) can reverse. But the idea is that if you get the message and calculate your own digest, if nothing has changed, then you should get the same result. It is, however, impossible (generally) for anyone to change the message and force it to have the exact same digest. Usually the message digest includes some information about the source that you include in your check calculation to prove that the message is authentic. Ordinarily that would be enough but they go further to encrypt the digest value with the source's private key and call it a Signature. You, having the public key can retrieve the digest number to compare to your calculation.

          You can see how even the description starts to baffle you and so, people leave it to someone else to force on them.

          So if one (1) bit in the whole DCP gets changed from a 0 to a 1 (or the reverse) the digest produces a wildly different result. The media server decrypts the signature with the public key which is likely also in the DCP and does the math to check the digest and it fails. Probably your disk, eh?

          Sadly in the DCP there might be some error correcting code that would have fixed that bad bit and let the show go on. But no, screw all those smart people who devised error correction for the benefit of mankind. We'll just fail the signature and and force you to illegally play a DVD.

          Ha. My Sunday morning attitude showing through a day early.
          Last edited by Bruce Cloutier; 03-30-2024, 10:58 AM.

          Comment


          • #6
            One of the cleverest things that I've ever come across is parchive.

            https://en.wikipedia.org/wiki/Parchive

            It seems to have more-or-less disappeared these days but it was wonderful for downloading binary files from usenet (back when dinosaurs roamed the earth).

            Comment


            • #7
              My outgoing emails have a digital signature attached. It doesn't prove anything. It is a built-in option for most all email clients. I was wondering if anyone cared and so I enabled it. I just shake my head when someone writes back saying "I couldn't open your attachment" when the email wasn't trying to convey an attachment. It is my signature. Those are the very same people that will fall prey to a phishing attack. Oh look... there is an attachment, let me click on it and cripple my computer!

              That digital signature confirms that the content is from me ONLY if you obtain my public key from me separately and in some trusted fashion. Anyone can sign a message and still say it is from me. You need to have a certified public key from me. This is where the digital certificates come in and completely baffle everyone rendering the tech untenable. Meanwhile, certificate signing authorities are pleased to have the additional revenue stream from those who are willing.

              So it is not perfect. It doesn't have to be because just a little security is enough to keep an honest person honest. But they are all panicked over the idea that there could be a quantum super computer that will instantly render all of it useless. Like someone is going to spend a few billion dollars to break into your JNIOR.

              They are very very very far from having any quantum computer by the way. There is a lot of money being thrown at it and a lot of people are on the hook to make good on those investments. That's where all of the positive hype about it comes from. None of those guys are going to preach any sobering reality. Not and risk their career by drawing the scorn and contempt of those signing the checks. It amounts to a huge scam at this point.

              And, apparently, protecting an artist's rights to the digital content is paramount and on par with national security. Batteries going dead does lead to more annual revenue.

              Just saying...

              Comment


              • #8
                We were having problems with signature verification. People at Deluxe said they had no idea what was causing it. Person at GDC said Deluxe does know and they problem is on films encoded before then end of 2023. GDC said they should still be able to play (and so far they have), but you may want to get a OC Key and test before showday. I do not know if it applies only to GDC servers.
                Sometimes it will show up as an Exception, but not always. So run a full verify on the title after you have ingested it.

                Comment


                • #9
                  Peter, what GDC software version are you running? Some models now have an update available to address the signature verification error on SMPTE DCPs distributed by Deluxe that were mastered before mid-December 2023 (and any other SMPTE DCP with an expired cert in the signing chain). If you are getting an 'Exception' on ingest, you probably received a defective CRU drive--it happens.

                  Comment


                  • #10
                    It cannot be a corrupted bit, as, the purpose of the ingest implementation of DCI/SMPTE is to detect any possible corruption and if detected, refuse to ingest the suspect content.
                    I would rule that possibility out.
                    It's far more likely an ambiguous implementation of the SMPTE spec etc. which is mostly the reason we have the NYE, and other signing issues of late.

                    I would be upgrading to the latest release that is supposed to address issues like this. After that, get back to us if you still see a problem. If you do, then it should be escalated.

                    Comment


                    • #11
                      If you have a GRU drive, you can ask the little yellow minions that came with the server to do the signature verification for you.

                      Comment


                      • #12
                        Originally posted by Frank Cox View Post
                        The only time I had an "exception" it was due to a bad hard drive.

                        The signature verification thing is maybe related to the big encryption blow-up a month or two back. (This is just a guess on my part.)
                        What encryption blow-up? Sorry, I'm an isolated user and they don't send me memos.

                        Comment


                        • #13
                          This one:

                          http://www.film-tech.com/vbb/forum/m...l-outage-today

                          Comment

                          Working...
                          X