Widevine¶
There are two options to package a Widevine DRM encrypted content:
- If you know the encryption keys and have the associated Widevine PSSH at hand, you can provide them in clear text to packager directly. Refer to Raw key for details.
- Provide key_server_url and associated credentials to packager. Packager will fetch encryption keys from Widevine key server.
Synopsis¶
AES signing:
$ packager {stream_descriptor} [stream_descriptor] ... \
--enable_widevine_encryption \
--key_server_url <key_server_url> \
--content_id <content_id> \
--signer <signer> --aes_signing_key <aes_signing_key> \
--aes_signing_iv <aes_signing_iv> \
[Other options, e.g. DASH options, HLS options]
RSA signing:
$ packager {stream_descriptor} [stream_descriptor] ... \
--enable_widevine_encryption \
--key_server_url <key_server_url> \
--content_id <content_id> \
--signer <signer> --rsa_signing_key_path <rsa_signing_key_path> \
[Other options, e.g. DASH options, HLS options]
Examples¶
The examples below uses the H264 streams created in Media Encoding.
Here is an example with DASH. It can be applied to HLS in a similar way:
$ packager \
in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
--mpd_output h264.mpd \
--enable_widevine_encryption \
--key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
--content_id 7465737420636f6e74656e74206964 \
--signer widevine_test \
--aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
--aes_signing_iv d58ce954203b7c9a9a9d467f59839249
Refer to player setup on how to config the DRM in Shaka Player.
Widevine test credential¶
Here is the test crendential used in this tutorial.
key_server_url
signer
widevine_test
aes_signing_key
1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9
aes_signing_iv
d58ce954203b7c9a9a9d467f59839249
Note
The test credential is only meant for development. Please reach out to Widevine if you need something for production use.
Widevine encryption options¶
--enable_widevine_encryption | |
Enable encryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path). | |
--enable_widevine_decryption | |
Enable decryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path). | |
--include_common_pssh | |
When using Widevine encryption, include an additional v1 PSSH box for the common system ID that includes the key IDs. See https://goo.gl/s8RIhr. | |
--key_server_url <url> | |
Key server url. Required for Widevine encryption and decryption. | |
--content_id <hex> | |
Content identifier that uniquely identifies the content. | |
--policy <policy> | |
The name of a stored policy, which specifies DRM content rights. | |
--max_sd_pixels <pixels> | |
The video track is considered SD if its max pixels per frame is no higher than max_sd_pixels. Default: 442368 (768 x 576). | |
--max_hd_pixels <pixels> | |
The video track is considered HD if its max pixels per frame is higher than max_sd_pixels, but no higher than max_hd_pixels. Default: 2073600 (1920 x 1080). | |
--max_uhd1_pixels <pixels> | |
The video track is considered UHD1 if its max pixels per frame is higher than max_hd_pixels, but no higher than max_uhd1_pixels. Otherwise it is UHD2. Default: 8847360 (4096 x 2160). | |
--signer <signer> | |
The name of the signer. | |
--aes_signing_key <hex> | |
AES signing key in hex string. aes_signing_iv is required if aes_signing_key is specified. This option is exclusive with rsa_signing_key_path. | |
--aes_signing_iv <hex> | |
AES signing iv in hex string. | |
--rsa_signing_key_path <file path> | |
Path to the file containing PKCS#1 RSA private key for request signing. This option is exclusive with aes_signing_key. | |
--crypto_period_duration <seconds> | |
Defines how often key rotates. If it is non-zero, key rotation is enabled. | |
--group_id <hex> | |
Identifier for a group of licenses. |