Widevine

There are two options to package a Widevine DRM encrypted content:

1. If you know the encryption keys and have the associated Widevine PSSH at hand, you can provide them in clear text to packager directly. Refer to Raw key for details.
2. Provide key_server_url and associated credentials to packager. Packager will fetch encryption keys from Widevine key server.

Synopsis

AES signing:

$ packager <stream_descriptor> ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --aes_signing_key <aes_signing_key> \
  --aes_signing_iv <aes_signing_iv> \
  [Other options, e.g. DASH options, HLS options]

RSA signing:

$ packager <stream_descriptor> ... \
  --enable_widevine_encryption \
  --key_server_url <key_server_url> \
  --content_id <content_id> \
  --signer <signer> --rsa_signing_key_path <rsa_signing_key_path> \
  [Other options, e.g. DASH options, HLS options]

Examples

The examples below uses the H264 streams created in Media Encoding.

• Here is an example with both DASH and HLS output:

  $ packager \
    in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
    in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
    in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
    in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
    in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
    --mpd_output h264.mpd \
    --hls_master_playlist_output h264_master.m3u8 \
    --enable_widevine_encryption \
    --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
    --content_id 7465737420636f6e74656e74206964 \
    --signer widevine_test \
    --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
    --aes_signing_iv d58ce954203b7c9a9a9d467f59839249
  

• Another example using ‘cbcs’ protection scheme:

  $ packager \
    in=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 \
    in=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 \
    in=h264_main_480p_1000.mp4,stream=video,output=h264_480p.mp4 \
    in=h264_main_720p_3000.mp4,stream=video,output=h264_720p.mp4 \
    in=h264_high_1080p_6000.mp4,stream=video,output=h264_1080p.mp4 \
    --mpd_output h264.mpd \
    --hls_master_playlist_output h264_master.m3u8 \
    --protection_scheme cbcs \
    --enable_widevine_encryption \
    --key_server_url https://license.uat.widevine.com/cenc/getcontentkey/widevine_test \
    --content_id 7465737420636f6e74656e74206964 \
    --signer widevine_test \
    --aes_signing_key 1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 \
    --aes_signing_iv d58ce954203b7c9a9a9d467f59839249
  

Refer to player setup on how to config the DRM in Shaka Player.

Widevine test credential

Here is the test crendential used in this tutorial.

key_server_url:https://license.uat.widevine.com/cenc/getcontentkey/widevine_test signer:widevine_test aes_signing_key:  1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9 aes_signing_iv:d58ce954203b7c9a9a9d467f59839249

Note

The test credential is only meant for development. Please reach out to Widevine if you need something for production use.

DRM related Stream descriptor fields

skip_encryption=0|1:  Optional. Defaults to 0 if not specified. If it is set to 1, no encryption of the stream will be made. drm_label:Optional value for custom DRM label, which defines the encryption key applied to the stream. Typically values include AUDIO, SD, HD, UHD1, UHD2. For raw key, it should be a label defined in –keys. If not provided, the DRM label is derived from stream type (video, audio), resolutions, etc. Note that it is case sensitive.

General encryption options

--protection_scheme <scheme>
	Specify a protection scheme, ‘cenc’ or ‘cbc1’ or pattern-based protection schemes ‘cens’ or ‘cbcs’.
--vp9_subsample_encryption, --novp9_subsample_encryption
	Enable / disable VP9 subsample encryption. Enabled by default.
--clear_lead <seconds>
	Clear lead in seconds if encryption is enabled.

Widevine encryption options

--enable_widevine_encryption
	Enable encryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).
--enable_widevine_decryption
	Enable decryption with Widevine key server. User should provide either AES signing key (–aes_signing_key, –aes_signing_iv) or RSA signing key (–rsa_signing_key_path).
--include_common_pssh
	When using Widevine encryption, include an additional v1 PSSH box for the common system ID that includes the key IDs. See https://goo.gl/s8RIhr.
--key_server_url <url>
	Key server url. Required for Widevine encryption and decryption.
--content_id <hex>
	Content identifier that uniquely identifies the content.
--policy <policy>
	The name of a stored policy, which specifies DRM content rights.
--max_sd_pixels <pixels>
	The video track is considered SD if its max pixels per frame is no higher than max_sd_pixels. Default: 442368 (768 x 576).
--max_hd_pixels <pixels>
	The video track is considered HD if its max pixels per frame is higher than max_sd_pixels, but no higher than max_hd_pixels. Default: 2073600 (1920 x 1080).
--max_uhd1_pixels <pixels>
	The video track is considered UHD1 if its max pixels per frame is higher than max_hd_pixels, but no higher than max_uhd1_pixels. Otherwise it is UHD2. Default: 8847360 (4096 x 2160).
--signer <signer>
	The name of the signer.
--aes_signing_key <hex>
	AES signing key in hex string. aes_signing_iv is required if aes_signing_key is specified. This option is exclusive with rsa_signing_key_path.
--aes_signing_iv <hex>
	AES signing iv in hex string.
--rsa_signing_key_path <file path>
	Path to the file containing PKCS#1 RSA private key for request signing. This option is exclusive with aes_signing_key.
--crypto_period_duration <seconds>
	Defines how often key rotates. If it is non-zero, key rotation is enabled.
--group_id <hex>
	Identifier for a group of licenses.