Widevine

There are two options to package a Widevine DRM encrypted content:

  1. If you know the encryption keys and have the associated Widevine PSSH at hand, you can provide them in clear text to packager directly. Refer to Raw key for details.
  2. Provide key_server_url and associated credentials to packager. Packager will fetch encryption keys from Widevine key server.

Synopsis

AES signing:

$ packager {stream_descriptor} [stream_descriptor] ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --aes_signing_key <aes_signing_key> \
  --aes_signing_iv <aes_signing_iv> \
  [Other options, e.g. DASH options, HLS options]

RSA signing:

$ packager {stream_descriptor} [stream_descriptor] ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --rsa_signing_key_path <rsa_signing_key_path> \
  [Other options, e.g. DASH options, HLS options]

Examples

The examples below uses the H264 streams created in Media Encoding.

Here is an example with DASH. It can be applied to HLS in a similar way:

$ packager \
  in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
  in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
  in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
  in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
  in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
  --mpd_output h264.mpd \
  --enable_widevine_encryption \
  --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
  --content_id 7465737420636f6e74656e74206964 \
  --signer widevine_test \
  --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
  --aes_signing_iv d58ce954203b7c9a9a9d467f59839249

Refer to player setup on how to config the DRM in Shaka Player.

Widevine test credential

Here is the test crendential used in this tutorial.

key_server_url:https://license.uat.widevine.com/cenc/getcontentkey/widevine_test
signer:widevine_test
aes_signing_key:
 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9
aes_signing_iv:d58ce954203b7c9a9a9d467f59839249

Note

The test credential is only meant for development. Please reach out to Widevine if you need something for production use.

Widevine encryption options

--enable_widevine_encryption
 Enable encryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).
--enable_widevine_decryption
 Enable decryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).
--include_common_pssh
 When using Widevine encryption, include an additional v1 PSSH box for the common system ID that includes the key IDs. See https://goo.gl/s8RIhr.
--key_server_url <url>
 Key server url. Required for Widevine encryption and decryption.
--content_id <hex>
 Content identifier that uniquely identifies the content.
--policy <policy>
 The name of a stored policy, which specifies DRM content rights.
--max_sd_pixels <pixels>
 The video track is considered SD if its max pixels per frame is no higher than max_sd_pixels. Default: 442368 (768 x 576).
--max_hd_pixels <pixels>
 The video track is considered HD if its max pixels per frame is higher than max_sd_pixels, but no higher than max_hd_pixels. Default: 2073600 (1920 x 1080).
--max_uhd1_pixels <pixels>
 The video track is considered UHD1 if its max pixels per frame is higher than max_hd_pixels, but no higher than max_uhd1_pixels. Otherwise it is UHD2. Default: 8847360 (4096 x 2160).
--signer <signer>
 The name of the signer.
--aes_signing_key <hex>
 AES signing key in hex string. aes_signing_iv is required if aes_signing_key is specified. This option is exclusive with rsa_signing_key_path.
--aes_signing_iv <hex>
 AES signing iv in hex string.
--rsa_signing_key_path <file path>
 Path to the file containing PKCS#1 RSA private key for request signing. This option is exclusive with aes_signing_key.
--crypto_period_duration <seconds>
 Defines how often key rotates. If it is non-zero, key rotation is enabled.
--group_id <hex>
 Identifier for a group of licenses.