Requests to DRMToday license servers are being rejected with 403

[Mgrdich]

Hey i have been using electron-forge for building my application , and i have managed to sign macOS correctly and it works, meanwhile in windows i am getting this error.

i am using videojs , videojs-contrib-eme , and i am signing the windows package at the correct place according to some responses on electron-forge discord server.

https://lic.staging.drmtoday.com/license-proxy-widevine/cenc/ 403 Forbidden error. i was wondering if that is the because my drm signing on windows is not done correctly.

in the pipeline i can see vmp-resign.py is executing and it is creating the sig file correctly.

and there were talks that were saying the the installer signature won't change the package , cause it only changes the structure of the installer , because forge is signing it after the installer is made

[khwaaj]

It might be, it is hard to tell without being able to actually inspect the signature. What is important here is that on Windows VMP-signing needs to take place after code-signing, since code-signing changes the executable. Whether the installer signature is a problem, I'm not sure, but I doubt it. I know there has been problems with some installer types in the past though.

Did you try verifying the signature with vmp-resign.py after an installation (i.e. with the -Y option)?

[Mgrdich]

it turns out the windows signature installer was messing DRM signing. cause Electron forge signs the windows on the installer level , but that actually messes up with the DRM signing , it is working without that step.

[vanminhquangtri]

hi @Mgrdich , I have same similar problem with you. First, I test the demo DRM from dashjs: https://reference.dashif.org/dash.js/latest/samples/drm/widevine.html This works ok on both Electron App and normal browser Chrome.

Second, when test with my DRM: https://lic.drmtoday.com/license-proxy-widevine/cenc/?specConform=true It give error 403 on electrong App but work ok on normal browser Chrome.

So can you please advise is it is compusory to do the code signing so that the DRM will work on Electron App? Because on my first case, demo DRM from dashjs, it work ok.

My OS is Window 11 Pro, 64-bit. Thank you.

[Mgrdich]

I ended up ignoring windows signing for now, I know it is not that helpful but I didn't have any other choice.

[vanminhquangtri]

@Mgrdich I am actually stuck at this point. The main purpose for my Electron App is to play DRM content. I try to solve problem for a week but nothing work. So does your project run ok now?

[Mgrdich]

module.exports = function (appName, widevineCertificationPassword, directories) {
  const { packagedFileDirectory, baseCertificationPath } = directories;

  // Make sure we don't leave an outdated electron.exe.sig laying about
  const signPath = path.join(packagedFileDirectory, `${appName}.exe.sig`);
  const anotherSignPath = path.join(packagedFileDirectory, `electron.exe.sig`);

  if (fs.existsSync(signPath)) {
    fs.unlinkSync(signPath);
  }

  if (fs.existsSync(anotherSignPath)) {
    fs.unlinkSync(anotherSignPath);
  }

  // Sign the application package
  const spawnSync = child_process.spawnSync;
  const vmp = spawnSync(
    'python', // windows container automatically picks up python3 this may make a difference
    [
      path.join('node_modules', 'electron', 'vmp-resign.py'),
      '-vv',
      '-W',
      appName + '.exe',
      '-C',
      path.join(baseCertificationPath, NAMES.certificationsFolderName, NAMES.widevineCertificate),
      '-K',
      path.join(baseCertificationPath, NAMES.certificationsFolderName, NAMES.widevineCertificateKey),
      '-P', // -p Prompt for password (use -P to supply instead),
      widevineCertificationPassword,
      packagedFileDirectory,
    ],
    {
      stdio: 'inherit',
    },
  );

  if (vmp.status !== 0) {
    throw new Error('vmp-resign.py failed with code: ' + vmp.status);
  }
};

and in Electron forge execute it in this hook,

/**
     * @description Widevine windows os signing step
     * */
    postPackage: async (forgeConfig, options) => {
      // get the variables that you want and call the function in this hook

      if (platform !== 'win32') return;

      // after windows sign // in Electron builder afterSign
      return windowsWidevineSignHook(appName, widevineCertificationPassword, {
        packagedFileDirectory: absolutePackagePath,
        baseCertificationPath: __dirname,
      });
    },

And it worked but bear in mind that the windows certification should not be True, otherwise when the electron-wininstaller will change the signature or corrupt it in some way that i don't understand.

electron-wininstaller but make sure you create an installer , cause that helps you with the correct packaging and autoupdates and all the other cool stuff.

Buttom line is it worked , without the windows certification , DRM signing worked and i tested it.