Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CDM on Windows reporting Tampered status

See original GitHub issue

I have an Electron app for playing DRM assets. On Mac it is working well. On PC it plays back fine, but the license server is getting a response that says the platform status is PLATFORM_TAMPERED.

I read through the issue here: https://github.com/castlabs/electron-releases/issues/22, but my digests match and I’m getting no errors when running the vmp_resign.py script.

I’m using electron-builder to build and sign the application, then using the vmp_resign script afterwards. I have tried turning off the signAndEditExecutable option so it’s not inserting icons and metadata, but I still am getting the tampered status. It sounds like running the resign script after electron-builder completes may not be enough, based on this: https://github.com/castlabs/electron-releases/issues/56#issuecomment-635600098

One thing I do notice that is odd, is that the CDM version reported in the response is one patch version off of what the manifest.json that accompanies the CDM says. The response has “4.10.1582.1”, whereas the manifest.json has “4.10.1582.2”. However, I feel that may be a red herring, as on Mac it is doing the same thing and receiving a VERIFIED status.

Here is the output from the resign verification:

vmp-resign/WARNING: -K/--key, -P/--password, -n/--no-prompt-password and -p/--prompt-password are ignored for verification
vmp-resign/INFO: Verifying package: build
vmp-resign/INFO: Reading signature from: build\My Player.exe.sig
vmp-resign/DEBUG: Decoding signature file with version: 0
vmp-resign/DEBUG: Decoding certificate entry
vmp-resign/DEBUG: Decoding signature entry
vmp-resign/DEBUG: Decoding flags entry
vmp-resign/DEBUG: Certificate:
vmp-resign/DEBUG:   Version: v3
vmp-resign/DEBUG:   Serial Number: <REDACTED>
vmp-resign/DEBUG:   Signature Hash Algorithm: sha256
vmp-resign/DEBUG:   Issuer: C=US, ST=Washington, L=Kirkland, O=Google, OU=Widevine, CN=widevine-codesign-root-ca
vmp-resign/DEBUG:   Subject: C=FR, L=Srasbourg, O=Movidone
vmp-resign/DEBUG:   Not Before: 2019-03-04 22:43:01
vmp-resign/DEBUG:   Not After: 2029-03-01 22:43:01
vmp-resign/DEBUG:   Extensions:
vmp-resign/DEBUG:     Subject Key Identifier:
vmp-resign/DEBUG:       Digest: c84c5b76507d9fcbe12195414e85b8727b330adc
vmp-resign/DEBUG:     Authority Key Identifier:
vmp-resign/DEBUG:       Key ID: ca3dd88e0f74577fd09ad9e121bf42fb23552986
vmp-resign/DEBUG:     Basic Constraints:
vmp-resign/DEBUG:       CA: False
vmp-resign/DEBUG:     Key Usage:
vmp-resign/DEBUG:       Digital Signature
vmp-resign/DEBUG:     Extended Key Usage:
vmp-resign/DEBUG:       Code Signing
vmp-resign/DEBUG:     1.3.6.1.4.1.11129.4.1.3:
vmp-resign/DEBUG:       ...
vmp-resign/DEBUG: Public Key: RSA 2048 bit
vmp-resign/INFO: Verifying file: build\My Player.exe
vmp-resign/DEBUG: File digest: c5f88e8f18dc1c5c62ab5905d8410ed90446f2be1249b3bb19403c1d8753514d61de0bd0ff3a08057925cd49fdaecda5dc790cf63642336d2d2eb6c39a0ae288
vmp-resign/DEBUG: Verifying data: c5f88e8f18dc1c5c62ab5905d8410ed90446f2be1249b3bb19403c1d8753514d61de0bd0ff3a08057925cd49fdaecda5dc790cf63642336d2d2eb6c39a0ae28801
vmp-resign/INFO: Verified package: build

Here is the status from the CDM with the tampered status:

{
   "status":"OK",
   "status_message":"",
   "license_metadata":{
      "content_id":"ewyxzy9KDEGb\/jG65VbVFA==",
      "license_type":"OFFLINE",
      "request_type":"NEW"
   },
   "supported_tracks":[
      {
         "type":"HD",
         "key_id":"TjRfOpWvU4erQnemQaeqgA==",
         "video_feature":""
      },
      {
         "type":"SD",
         "key_id":"RfIwY9PTUICi7o3daBn8cA==",
         "video_feature":""
      },
      {
         "type":"AUDIO",
         "key_id":"KRBtTL AVyKwylcrnLXI0A==",
         "video_feature":""
      }
   ],
   "make":"Google",
   "model":"ChromeCDM-Windows-2",
   "security_level":3,
   "internal_status":0,
   "session_state":{
      "license_id":{
         "request_id":"sNQeQDTN0PBnxn4WA3pW8g==",
         "session_id":"sNQeQDTN0PBnxn4WA3pW8g==",
         "purchase_id":"",
         "type":"OFFLINE",
         "version":0
      },
      "signing_key":"<REDACTED>",
      "keybox_system_id":13701,
      "license_counter":0
   },
   "drm_cert_serial_number":"<REDACTED>",
   "device_whitelist_state":"DEVICE_NOT_WHITELISTED",
   "platform":"chrome",
   "device_state":"RELEASED",
   "pssh_data":{
      "key_id":[
         "<REDACTED>"
      ],
      "content_id":"ewyxzy9KDEGb\/jG65VbVFA=="
   },
   "client_max_hdcp_version":"HDCP_V1",
   "client_info":[
      {
         "name":"architecture_name",
         "value":"x86-64"
      },
      {
         "name":"company_name",
         "value":"Google"
      },
      {
         "name":"model_name",
         "value":"ChromeCDM"
      },
      {
         "name":"platform_name",
         "value":"Windows"
      },
      {
         "name":"widevine_cdm_version",
         "value":"4.10.1582.1"
      }
   ],
   "platform_verification_status":"PLATFORM_TAMPERED",
   "content_owner":"movidone",
   "content_provider":"movidone",
   "system_id":13701,
   "oem_crypto_api_version":0,
   "resource_rating_tier":0,
   "client_ip":"<REDACTED>"
}

Any advice on how to change my signing process or configuration to resolve this tampered status?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:28

github_iconTop GitHub Comments

1reaction
khwaajcommented, Jan 31, 2022

Yes, with EVS you will only register an account (we provide the cert through the service itself). You can use this same account to sign whatever application you build on top of ECS.

1reaction
turbidwatercommented, Jun 16, 2020

This seems to be fixed. Thanks a million, @khwaaj !

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to change registry key value for Tamper Protection in ...
Hi, I am unable to change a registry key value to disable Tamper protection in Windows, getting an "access denied" error.
Read more >
Resolve Windows activation error codes | Microsoft Learn
This issue is not necessarily an indication of tampering. ... To do this, on the Start menu, right-click cmd.exe, and then select Run...
Read more >
Run a detection test on a device to verify it has been properly ...
Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service....
Read more >
Protect security settings with tamper protection - Microsoft Learn
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected.
Read more >
Device Health Attestation | Microsoft Learn
Creates a tamper resistant and tamper evident report (DHA report) that describes how the device started based on data that is collected and ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error while packaging with electron-builder

Next page

getting widevine-license error on the spotify web player