Widevine Technologies
Getting Started
 

Widevine Quarterly Partner Update - Q1 2018

Posted: March 29, 2018

Welcome to another quarterly update from the Widevine team. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

NAB 2018

Widevine is part of the Google presence at NAB 2018 this year. Please reach out to meet-widevine@google.com to arrange a discussion.

Chrome Browser

Chrome 59 (and later) includes support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of a device platform. For browser deployments, this will provide an additional signal to determine if a browser-based implementation is reliable and secure.

The proxy integration guide has been updated with information about VMP and how to issue licenses.

Widevine recommends our browser-based integrations (vendors and browser-based applications) add support for VMP.

Shaka Player has released v2.3.4.

Flash deprecation

In July 2018, Chrome will require Flash to be enabled on sites that still require it every time the user restarts the browser. User-defined override lists will no longer be persisted in site exceptions after this date.

iOS

The Widevine iOS client will only support arm64 architecture going forward in a quarterly release cycle starting in Q2 2018.

Content Encryption

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each category of SD, HD, 4K (UHD1), 8K (UHD2) and AUDIO streams.

Shaka Packager has released v2.0.2 with support for CMAF.

Widevine Cloud License Service

Cloud Environments

Widevine has three different cloud services - UAT, Staging and Production. Moving forward, we recommend that partners use the appropriate environment to validate any new changes coming to the production environment.

The Widevine release process will update Staging first. Approximately 1-2 weeks later, Production and UAT are updated simultaneously if Staging is successfully verified.

This table represents the available Widevine Cloud License Service endpoints:

Environment Data Store GetLicense GetContentKey Purpose
UAT (Test) UAT https://license.uat.widevine.com/cenc/getlicense/<provider> https://license.uat.widevine.com/cenc/getcontentkey/<provider> Testing environment for Device Integration and Service providers
Staging Production https://license.staging.widevine.com/cenc/getlicense/<provider> https://license.staging.widevine.com/cenc/getcontentkey/<provider> Testing environment for bug fixes, and new changes.
Production Production https://license.widevine.com/cenc/getlicense/<provider> https://license.widevine.com/cenc/getcontentkey/<provider> Standard production environment.

The Production and Staging environment is accessed using the same set of service credentials (IV/Key pair), separate from UAT.

  • Staging is a pre-release environment for Production releases. It is recommended that a service provider use staging to validate after launch.
  • Data (content keys, provider credentials)

The UAT (Test) environment is accessed using a unique set of service credentials (IV/Key pair). The purpose of UAT is to enable:

  • Testing and integration of devices in development.
  • Testing and integration of service providers.

Cloud Service Performance

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only. We will need to know the expected traffic (QPS, duration) for any testing.

Cloud Signing Key Rotation

Signing key credentials for access to the Widevine Cloud License Service can now be enabled to expire and new signing keys will be auto-generated. Please contact us if you are interested in enabling this function.

Training Program (CWIP)

The next training sessions in 2018 are scheduled for:

  • June 4 - 7 in Kirkland, WA, USA
  • Oct 2 - 5 in Europe (TBD)

Best,
The Widevine Team

 



Widevine Quarterly Partner Update - Q4 2017

Posted: December 11, 2017

Welcome to another quarterly update from the Widevine team. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Widevine CAS

We recently announced Widevine CAS for the Android TV platform using the same business model as any other Widevine product. Leveraging the existing security solution (4K, UHD compliant) for Widevine DRM on OTT platforms, the Widevine CAS client will provide a strategic value proposition for Pay TV operators with our no-fee licensing terms.

HLS and CMAF

This document describes HLS support across Widevine clients. It includes the Widevine HLS specification for CMAF.

Support for V2 (CMAF) is coming in 2018.

Chrome Browser

Cross-origin EME

Starting from Chrome M64 (due January 2018), by default EME usage is disabled in cross-origin iframes: requestMediaKeySystemAccess() will always return a rejected promise.

In order for a cross-origin iframe to use EME as normal, the embedding page must specify a Feature Policy that enables "encrypted-media" for the frame. For example, the embedder could specify the iframe tag as:

Note that pages should only do this for iframes that have a legitimate need to use EME. For example, due to site design involving sub-origins or because the player is hosted on a different origin.

For more context on deprecating features in cross-origin iframes and Feature Policy in Chromium, see https://dev.chromium.org/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes

Widevine Browser CDM

Widevine has deprecated CDM versions that do not contain VMP functionality. This will take effect immediately after the release of Chrome M63 (targeted in early December 2017).

CDM version 1.4.8.984 and later support VMP (See chrome://components). Any version prior to this will be revoked and no longer function. This means that no licenses will be issued for these older CDM versions.

Chrome 59 (and later) includes support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of a device platform. For browser deployments, this will provide an additional signal to determine if a browser-based implementation is reliable and secure.

The proxy integration guide has been updated with information about VMP and how to issue licenses. Widevine recommends our browser-based integrations (vendors and browser-based applications) add support for VMP.

Flash Deprecation

In July 2018, Chrome will require Flash to be enabled on sites that still require it every time the user restarts the browser. User-defined override lists will no longer be persisted in site exceptions after this date.

iOS

New release - version 3.1 (2017 September)

Reference App

  • Change Network check to use Apples reachability.
  • Refactor code to handle for CDM v3.1 update.
  • Rename and break apart Streaming class to PlaylistBuilder/Server.
  • Support SegmentTemplate w/Timeline.
  • Validate support for iOS11
  • Add SystemConfiguration framework and Libz.dylib to project dependencies.
  • Switch HTTP Server to GCDWebServer with CocoaLumberJack.
  • Include OCMock for improved Testing.
  • Add listener and notifications for Screen Capturing.

CDM

  • Upgrade CDM to v3.1 (Improved Security, Bug Fixes, and more).
  • Increased Obfuscation and Security for content keys.
  • Fix multiple leaks

Content Encryption

Group License

We have introduced the group licensing feature where a single license unlocks multiple content - especially useful for the live broadcast use-case. Please review our group license document for further information.

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each category of SD, HD, 4K (UHD1), 8K (UHD2) and AUDIO streams.

Widevine Cloud License Service

SSL Certificates

Google HTTPS services uses certificates issued by GeoTrust Global CA and are cross-signed by Equifax.

This will change in the next 3–18 months. The Widevine Cloud License Service will rely on these Google certificates, like any Google external endpoint.

All Google services including Widevine, will transition to using:

  • GlobalSign Root CA - R2
  • GlobalSign Root CA - R3
  • GlobalSign Root CA - R4
  • Up to 4 new Google roots.

When is this going to happen?

Starting 2017 (for up to 5 years)

How can I validate?

You can test whether your services are compatible with this by loading:

GlobalSign Root CA - R2 - https://2021.globalsign.com
GlobalSign Root CA - R4 - https://2038r4.globalsign.com
GlobalSign Root CA - R3 - https://2029.globalsign.com

To support Google roots, test the above sites. It is expected to be sufficient for the five year timeframe that Google provides guidance for.

What to update

Google has long required that products include the certificate authorities contained in https://pki.google.com/roots.pem. This will continue to function for the next few years at least. The recommendation is to refresh roots from the current version of this file in order to ensure continued operation in the long term.

If you observe TLS-level (as opposed to certificate-related) errors when accessing some of the test sites it may be because the client is not sending a server-name indication (SNI). This is mandatory when connecting to Google.

Cloud Environments

Widevine has three different cloud services - UAT, Staging and Production. Moving forward, we recommend that partners use the appropriate environment to validate any new changes coming to the production environment.

The Widevine release process will update Staging first. Approximately 1-2 weeks later, Production and UAT are updated simultaneously if Staging is successfully verified.

This table represents the available Widevine Cloud License Service endpoints:

Environment Data Store GetLicense GetContentKey Purpose
UAT (Test) UAT https://license.uat.widevine.com/cenc/getlicense/<provider> https://license.uat.widevine.com/cenc/getcontentkey/<provider> Testing environment for Device Integration and Service providers
Staging Production https://license.staging.widevine.com/cenc/getlicense/<provider> https://license.staging.widevine.com/cenc/getcontentkey/<provider> Testing environment for bug fixes, and new changes.
Production Production https://license.widevine.com/cenc/getlicense/<provider> https://license.widevine.com/cenc/getcontentkey/<provider> Standard production environment.

The Production and Staging environment is accessed using the same set of service credentials (IV/Key pair), separate from UAT.

  • Staging is a pre-release environment for Production releases. It is recommended that a service provider use staging to validate after launch.
  • Data (content keys, provider credentials)

The UAT (Test) environment is accessed using a unique set of service credentials (IV/Key pair). The purpose of UAT is to enable:

  • Testing and integration of devices in development.
  • Testing and integration of service providers.

Cloud Service Status Codes

The Widevine Cloud License Service will not return HTTP 500 status on all errors. The table below illustrates HTTP response code to status conditions.

HTTP Response Status
400 INVALID_ARGUMENT
FAILED_PRECONDITION
OUT_OF_RANGE
ALREADY_EXISTS
403 PERMISSION_DENIED
UNAUTHENTICATED
404 NOT_FOUND
500 INTERNAL, DATA_LOSS
ABORTED
CANCELLED
UNKNOWN
UNAVAILABLE
RESOURCE_EXHAUSTED
DEADLINE_EXCEEDED
501 UNIMPLEMENTED

Cloud Service Load Expectations

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only. We will need to know the expected traffic (QPS, duration) for any testing.

Cloud Service Load Expectations

Signing key credentials for access to the Widevine Cloud License Service can now be enabled to expire and new signing keys will be auto-generated. Please contact us if you are interested in enabling this function.

Training Program (CWIP)

Our first 2 training sessions in 2018 are scheduled for:

  • March 12 - 15 in London
  • April 23 - 26 in Singapore

Please contact us if we can assist with any questions.

Best,
The Widevine Team

 



Widevine Quarterly Partner Update - Q3 2017

Posted: October 09, 2017

Welcome to another quarterly update from the Widevine team. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Chrome Browser

Chrome 59 (and later) includes support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of a device platform. For browser deployments, this will provide an additional signal to determine if a browser-based implementation is reliable and secure.

The proxy integration guide has been updated with information about VMP and how to issue licenses. Widevine recommends our browser-based integrations (vendors and browser-based applications) add support for VMP.

In July 2018, Chrome will require Flash to be enabled on sites that still require it every time the user restarts the browser. User-defined override lists will no longer be persisted in site exceptions after this date.

Content Encryption

New Feature - Group License

We have introduced the group licensing feature where a single license unlocks multiple content - especially useful for the live broadcast use-case. Please review our group license document for further information.

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each category of SD, HD, 4K (UHD1), 8K (UHD2) and AUDIO streams.

Widevine Cloud License Service

New Feature - HDCP SRM

We have added HDCP SRM support for compatible clients and updated our Proxy Integration document.

Environment Descriptions and Recommended Testing Process

Widevine has three different environments - UAT, Staging, and Production. Moving forward, we recommend that partners use our test environments to validate any new changes that will be migrated to our production environment.

The Widevine release process will update Staging first. Next, Production and UAT are updated simultaneously if Staging is successfully verified.

This table represents the available Widevine Cloud License Service endpoints:

Environment Data Store GetLicense GetContentKey Purpose
UAT (Test) UAT https://license.uat.widevine.com/cenc/getlicense/<provider> https://license.uat.widevine.com/cenc/getcontentkey/<provider> Testing environment for Device Integration and Service providers
Staging Production https://license.staging.widevine.com/cenc/getlicense/<provider> https://license.staging.widevine.com/cenc/getcontentkey/<provider> Testing environment for bug fixes, and new changes.
Production Production https://license.widevine.com/cenc/getlicense/<provider> https://license.widevine.com/cenc/getcontentkey/<provider> Standard production environment.

The Production and Staging environment is accessed using the same set of service credentials (IV/Key pair), separate from UAT.

  • Staging is a pre-release environment for Production releases. It is recommended that a service provider use staging to validate after launch.
  • Data (content keys, provider credentials)

The UAT (Test) environment is accessed using a unique set of service credentials (IV/Key pair). The purpose of UAT is to enable:

  • Testing and integration of devices in development.
  • Testing and integration of service providers.

Cloud Service Load Expectations

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only. We will need to know the expected traffic (QPS, duration) for any testing.

Cloud Service Load Expectations

Signing key credentials for access to the Widevine Cloud License Service can now be enabled to expire and new signing keys will be auto-generated. Please contact us if you are interested in enabling this function.

Training Program (CWIP)

We are moving forward with a training schedule for 2018. Exact dates will be published our next update.

Q1 - Europe
Q2 - Singapore

Please contact us if we can assist with any questions.

Best,
The Widevine Team

 



VMP Update - August 2017

Posted: August 18, 2017

IBC 2017

Widevine will be part of the Google presence at IBC 2017 in Hall 14, A10. Please use meet-widevine@google.com if you would like to have a discussion.

Chrome Browser

Beginning with Chrome 59, we have added support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of a device platform. For desktop browser deployments, this will provide an additional signal to determine if a browser-based implementation is reliable and secure.

For content providers, the proxy integration guide has been updated with information about VMP and how to issue licenses to verified platforms. License SDK users will need the May 2017 update which added VMP query support.

Enforcement of VMP depends on each content partner or streaming service provider.

For browser vendors, Widevine recommends adding support for VMP.

Please contact us if we can assist with any questions.

Best,
The Widevine Team

 



Widevine Quarterly Partner Update - Q2 2017

Posted: July 6, 2017

Welcome to another quarterly update from the Widevine team. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Please contact us for any issues.

Key Updates

Progressive Web Apps (PWA)

Chrome Media presented the use of Progressive Web Apps for premium content delivery, especially on mobile Android in emerging markets at NAB.

Demo: http://bit.ly/pwa-media
Source: http://bit.ly/pwa-media-code

Provides a great media experience without a native app

  • Offers the look and feel of a native app.
  • Offers the same media player controls of a native app (Play, Pause, Skip, Thumbnail scrub, etc).
  • Fast startup of playback - you can reduce time-to-first-frame from the second the user lands on your site.

Easier to discover and install

  • The user can easily add the app to the home screen on their mobile device from the main website.
  • No need to redirect the user to the Play Store.
  • Because PWAs are essentially a website, they can be indexed by search engines and easily found by your users.

Development and Maintenance

  • Less space on device. Reduces storage by 80% or more compared with Android native apps.
  • Users always have the latest version - unlike native apps, no explicit updates are required.
  • PWAs are cheaper to develop because they work cross platform.
  • Easier to develop a responsive website vs. a native mobile application.
  • Works offline, you don’t have to be connected to use it. Support for offline Widevine encrypted content is currently available in Chrome beta.

NexPlayer supporting Widevine HLS on Android and iOS

NexPlayer recently released a player SDK update supporting HLS with Widevine on Android and iOS platforms. Leveraging the same advanced features of the NexPlayer SDK, this will allow partners to serve both Android and iOS users with the same encrypted HLS streams while reducing DASH complexities on Apple platforms. NexPlayer with Widevine has been successfully integrated into commercial apps in the US and is available at www.nexstreaming.com

Content Encryption

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each category of SD, HD, 4K (UHD1), 8K (UHD2) and AUDIO streams.

Chrome Browser

Chrome 59 (and later) includes support for Verified Media Path (VMP). VMP provides a method to verify the authenticity of a device platform. For browser deployments, this will provide an additional signal to determine if a browser-based implementation is reliable and secure.

The proxy integration guide has been updated with information about VMP and how to issue licenses. Widevine recommends our browser vendors add support for VMP.

In addition, the Chrome browser will be deprecating EME permissions from cross origin iframes in a near-future release (tentatively M63).

Offline support on desktop

Widevine has been working with Castlabs to produce an open-source standalone app solution for offline desktop scenarios using Electron. This solution is now available for evaluation purposes. Please contact us for further interest.

Shaka Player

Version 2.1.4 has been released incorporating HLS VOD support.

Android

SafetyNet is a feature from the Play Store. The Attestation API provides a check for Android compatibility which can be leveraged to validate device compliance.

Widevine Cloud License Service

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only. We will need to know the expected traffic (QPS, duration) for any testing.

Cloud Signing Key Rotation

Signing key credentials for access to the Widevine Cloud License Service can now be enabled to expire and new signing keys will be auto-generated. Please contact us if you are interested in enabling this function.

Training Program (CWIP)

Our next training session is scheduled for July 24 - 27, 2017 in Amsterdam, The Netherlands. Registration is available at www.widevine.com under CWIP > Portal Login > Offered Classes.

Best,
The Widevine Team

 



Update - Chrome 59 and Service Certificates

Posted: May 2, 2017

This is an update to provide early notification of upcoming changes to the Widevine CDM client scheduled to ship with Chrome 59. This update is live and ready to test on the Chrome canary and beta channels.

Please contact us for any issues.

Key Updates

What’s Changing?

Chrome 59 will introduce a new CDM security feature known as Verified Media Path (VMP). VMP requires the use of a service certificate.

With the addition of VMP in Chrome 59, a service certificate is now required. If a service certificate does not exist, a certificate request will be initiated prior to every license request.

When?

Scheduled for June 6 2017.

Which Platforms?

Chrome on Desktop and Android starting from version 59.

What do I need to do?

License Proxy

The Proxy Integration document has been updated with the latest information and workflow.

A service certificate request will precede each license request. Service certificate requests are smaller in size (~2 bytes) compared to a license request and must be forwarded as-is (unchanged) to the Widevine Cloud License Service.

The Widevine license proxy sample demonstrates the certificate request-response with signing.

A sample certificate request and response is as follows:

License Server SDK

Please ensure that the SDK is initialized with the service certificate as documented on page 7 in our SDK API doc (for Java, it's in WvPLEnvironment.setServiceCertificate).

The service certificate returned to the client will match the service certificate initialized by the SDK. These service certificates must match to allow the browser client to accept licenses from the SDK.

Chrome Browser

The browser player application must set the service certificate to prevent a certificate request for each CDM session.

An alternative to executing the additional certificate request-response is to pre-load the service certificate, prior to any license request. This is recommended, as it avoids a round-trip to the license server.

The Widevine Cloud License Service certificate is available here.

  • Download the tarball and extract the binary certificate file.
  • The client application must retrieve it (via HTTP GET) and execute EME’s setServerCertificate API.
    • The certificate can be hosted on your service or proxy.
  • setServerCertificate must be executed prior to every playback session to avoid the certificate request.

This certificate is only valid for use with the Widevine Cloud License Service:

  • license.uat.widevine.com
  • license.widevine.com

If you are running a service using the Widevine License SDK, the above steps still apply, except that you must use the service certificate associated with your SDK deployment.

Setting the service certificate to the application can be accomplished by using the EME’s setServiceCertificate API with the following considerations:

  1. setServiceCertificate should be called after the MediaKeys object is created, but before creating sessions with mediaKeys.createSession(...).
  2. The argument type is a BufferSource, which means either an ArrayBuffer or a Uint8Array will be accepted. A hex-encoded or base64-encoded string will not be accepted.
  3. The method returns a Promise that is resolved or rejected when the operation is complete. Sessions should be created after the Promise resolves.

Shaka Player

Shaka Player already supports calling this method at https://github.com/google/shaka-player/blob/ac46792/lib/media/drm_engine.js#L261

An example on how Shaka Player can be configured to set service certificate is as follows:

Note: You cannot use the certificate response payload. Please use the appropriate certificate as indicated above (the Widevine Cloud License Service or your own certificate with your license SDK deployment).

Troubleshooting

If you are receiving INVALID_LICENSE_CHALLENGE errors, review the internal_status code field.

Note that internal_status 139 denotes that this is a Service Certificate Request Message. Other relevant status codes are:

Example of an error:

You will need to ensure that your license proxy is passing the service certificate request through for fulfillment by the Cloud License Service.

Best,
The Widevine Team

 



Update - Chrome 58 - Service certificate workflow

Posted: April 19, 2017

What’s Changing?

The service certificate request workflow change has been pushed from Chrome 58 to Chrome 59.

Widevine’s new browser CDM security feature known as Verified Media Path (VMP), originally scheduled to be introduced in Chrome 58, has been rescheduled to Chrome 59. The VMP feature requires service certificates. No changes to support service certificates are needed for Chrome 58.

Why?

Additional time is needed for our partners to implement and test the necessary updates to accommodate service certificate requests at their license proxy.

When?

Chrome 58 (without service certificate requirement) is scheduled to be released on April 25th. It’s on a gradual rollout schedule.

Chrome 59 (with service certificate requirement) is scheduled to be released on June 6th.

What do I need to do?

The VMP-enabled CDM is currently available in Chrome Canary. Partners should begin testing both canary and beta (starting April 27th) versions of Chrome 59 to understand the service certificate workflow and VMP functionality.

Additional information and documentation about VMP and service certificates will be provided shortly.

Please contact us if we can assist with any questions.

Best,
The Widevine Team




Chrome 58 and Service Certificates

Posted: April 10, 2017

This is a special update to provide early notification of upcoming changes to the Widevine CDM client scheduled to ship with Chrome 58. This update is live and ready to test on the Chrome beta channel.

Please contact us for any issues.

Key Updates

What’s Changing?

Chrome 58 will introduce a new CDM security feature known as Verified Media Path (VMP). VMP requires the use of a service certificate.

Prior to Chrome 58, service certificate requests were only made when certain EME options were enabled (e.g. persistentState, distinictiveIdentifier).

With the addition of VMP in Chrome 58, a service certificate is now required. If a service certificate does not exist, a certificate request will be initiated prior to every license request.

When?

Scheduled for April 25 2017.

Which Platforms?

Chrome on Desktop and Android starting from version 58.

What do I need to do?

License Proxy

A service certificate request will precede each license request. As a result, expect an increase of traffic at your proxy service.

Service certificate requests are smaller in size (2-4 bytes) compared to a license request and must be forwarded as-is (unchanged) to the Widevine Cloud License Service.

License Server SDK

Please ensure that the SDK is initialized with the service certificate as documented on page 7 in our SDK API doc (for Java, it's in WvPLEnvironment.setServiceCertificate).

The service certificate returned to the client will match the service certificate initialized by the SDK. These service certificates must match to allow the browser client to accept licenses from the SDK.

Chrome Browser

The browser player application must set the service certificate to prevent unnecessary certificate requests.

Setting the service certificate to the application can be accomplished by using the EME’s setServiceCertificate API with the following considerations:

  1. setServiceCertificate should be called after the MediaKeys object is created, but before creating sessions with mediaKeys.createSession(...).
  2. The argument type is a BufferSource, which means either an ArrayBuffer or a Uint8Array will be accepted. A hex-encoded or base64-encoded string will not be accepted.
  3. The method returns a Promise that is resolved or rejected when the operation is complete. Sessions should be created after the Promise resolves.

Shaka Player

Shaka Player already supports calling this method at https://github.com/google/shaka-player/blob/ac46792/lib/media/drm_engine.js#L261

An example on how Shaka Player can be configured to set service certificate is as follows:

Troubleshooting

If you are receiving INVALID_LICENSE_CHALLENGE errors, review the internal_status code field. A 134 or 139 translates to service certificate requests that have gone unfulfilled.

Example of an error:

You will need to ensure that your license proxy is passing the service certificate request through for fulfillment by the Cloud License Service.

Best,
The Widevine Team




Widevine Quarterly Partner Update- Q1 2017

Posted: March 31, 2017

Welcome to another quarterly update from the Widevine team. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Key Updates

NAB 2017

Widevine will be attending the NAB show in Las Vegas from April 23 to April 26. If you would like to arrange a discussion, please contact us via meet-widevine@google.com

We are featuring the use of Progressive Web Apps for premium content delivery, especially for mobile Android in emerging markets. A fully-featured demo will be on hand for display in the Google booth located at SU218. A full list of Google events is available here.

Chrome Browser

Please refer to this document for upcoming changes scheduled to ship with Chrome M58, due in mid-April 2017.

Secure Origin and Transport

Codecs

  • Codec (video and audio) types must be explicitly set for playback in the MPD

Best practices to enforce client behavior

  • The document provides recommendations on how to enforce behavior on video playback based on desired client capabilities using EME

Shaka Player

Version 2.0.7 has been released.

Widevine Cloud License Service

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only. We will need to know the expected traffic (QPS, duration) for any testing.

Cloud Signing Key Rotation

Signing keys for access to the Widevine Cloud License Service can now be enabled to expire and new signing keys will be auto-generated. Please contact us if you are interested in enabling this function.

Widevine Training Program

Our next training session is scheduled for June 5 - 8, 2017. Registration is available at www.widevine.com under CWIP > Portal Login > Offered Classes.

Please contact us if we can assist with your DRM implementation questions.

Best,
The Widevine Team




Chrome and EME Changes

Posted: January 27, 2017

This is a special update to provide early notification of upcoming changes scheduled to ship with Chrome M58, due in late April 2017.

Please refer to this document for a full description.

Key Updates

Secure Origin and Transport

This refers to the HTTPS transport requirement for all media and license calls with Chrome M58.

Codecs

Codec (video and audio) types must be explicitly set for playback.

Best practices to enforce client behavior

Recommendations on how to enforce behavior on video playback based on desired client capabilities using EME.

Please contact us if we can assist with any questions.

Best,
The Widevine Team




Widevine Quarterly Partner Update- Q4 2016

Posted: January 09, 2016

We had a successful show at IBC 2016 in Amsterdam and would like to highlight recent updates. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Key Updates

CES 2017

The Widevine team is attending CES 2017. Please contact us if you would like to take the opportunity to have a discussion.

Widevine Training Program

We have added a training session for our APAC partners in Singapore, scheduled for March 13-16, 2017. Please register and sign up from www.widevine.com under CWIP > Portal Login > Offered Classes.

Widevine Cloud License Service

Please contact us to discuss the Queries Per Second (QPS) requirements for your service. Performance or load testing must be executed on our production systems only.

Please contact us prior to any testing to schedule when this can be conducted. We will need to also know the expected traffic (QPS, duration) for any testing.

Chrome Browser

In a recent blog post, Chrome has announced the roadmap for Flash deprecation. This includes the deprecation process and how Flash will continue to work for high traffic sites. PC World has a helpful link to explain behavior and impact.

HTTPS everywhere is being highlighted by upcoming version of the Chrome browser. For content protection use-cases, the emphasis is on the HTTPS requirement for EME (including the content and license urls due to mixed content restrictions). As a general guideline, the deadline for these changes to take effect is approximately late Q1 2017.

Android

Android N (7.0) enabled CDM support for multiple encryption schemes as described in the latest Common Encryption specification. While the encryption scheme is supported, you may need to implement the appropriate MediaExtractor in your player to parse the content correctly.

Shaka Player

The Shaka Player Browser Support test page will report the capabilities exposed by your browser instance. In addition, Shaka Player error handling is documented here.

The Shaka Player Demo site will be updated to require HTTPS in February 2017 to support the HTTPS everywhere initiative.

Please contact us if we can assist with your DRM implementation questions.

Best,
The Widevine Team




Widevine Quarterly Partner Update- Q3 2016

Posted: October 11, 2016

We had a successful show at IBC 2016 in Amsterdam and would like to highlight recent updates. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Key Updates

HTML5

Google AdWords supports ads in HTML5. Please see this link on how to switch to HTML5 ads.

Common Encryption

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each SD, HD, 4K (UHD1), 8K (UHD2) and AUDIO stream.

In-line with the latest CENC specification, Widevine supports the additional protection schemes for AES-CBC. The Widevine PSSH proto has been updated with new fields to enable support for these protection schemes.

Cloud License Service

The Widevine Cloud License Service now supports new track types - UHD1 for 4K and UHD2 for 8K content respectively.

License generation for UHD1 and UHD2 tracks should:

  • Ensure the license is not stored (can_persist=false)
  • Enable HDCP 2.2

A small-sized (under 10 bytes) license request payload normally indicates a certificate request that must be fulfilled to allow a Widevine CDM to operate. This request does not need to be signed and must be passed unchanged to the license service. The license response will indicate the request type of CERTIFICATE.

Chrome Browser

Flash deprecation continues with new updates to Chrome. The upcoming M56 release will require a one-time user action to re-enable Flash on a web page, otherwise Flash is automatically disabled by default.

Chrome 53 demonstrates significant battery life improvements and will continue to be a core focus moving forward.

By the end of 2016, HTTPS transport will be required when using EME’s requestMediaKeySystemAccess API. This includes both the manifest and encrypted video chunks. All MSE (Media Source Extension) API calls for video segments or downloads will need to be conducted over HTTPS.

Android

In line with Android M requirements, going forward, Android N devices will not ship with WV Classic clients. Effectively, starting with Android 6.0, there is no expectation of a Widevine Classic client to exist on any Android device.

Widevine is VR-ready on Daydream devices with support for multiple secure video paths.

Chromecast

With AES-CBC compatibility, Widevine support on the Chromecast has been expanded to include HLS. This requires appending additional tags to specify Widevine compatibility and PSSH - please check the Shaka Packager update in this announcement. Contact us for details if you are interested to learn more.

The new Chromecast Ultra has support for 4K, HDR and Dolby Vision with expanded codec support (HEVC Main and Main10, VP9 profile 0 and 2).

Shaka Player

Version 2.0.0 has been officially released. New features include native Chromecast support, improved error reporting and robust subtitle support.

Shaka Packager

Formerly known as the eDASH Packager, we have re-branded as the Shaka Packager in-line with our Shaka Player client.

The latest 1.5.1 release incorporates support for CENC v3, HLS (Sample-AES only), HEVC, WebM (VP9) and Opus support. In addition, docker support has been expanded to include Windows, Mac OS X and Linux. WebM formats are now streaming optimized just like MP4 files.

Please contact us if we can assist with your DRM implementation questions.

Best,
The Widevine Team




Widevine Quarterly Partner Update- Q2 2016

Posted: July 20, 2016

As we head into summer and extended vacations, it is timely to highlight recent updates. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Key Updates

Progressive Web Apps (PWA)

Progressive Web Apps are cross-browser and cross-platform initiatives to standardize on application development. PWA gain superior performance and capabilities on modern browsers that support the latest web standards. Currently, PWA is applicable to Chrome on Android and ChromeOS.

A partial list of well-known sites running PWA are Flipkart, AliExpress, Snapdeal, Jalantikus, Babe, Geo TV, 5miles, AirBerlin, Washington Post and NFL Now.

In addition, the recently announced support for Android apps on Chromebooks will allow the native execution of Android apps on ChromeOS using Widevine in L3 mode.

4K and UltraHD

The Widevine team met with major studios this past quarter to discuss 4K and UltraHD compliance. Widevine Level 1 client security model meets current studio requirements. We are continuously having on-going discussions with studios to maintain our product line and keep them up-to-date.

Common Encryption

The Common Encryption specification is being updated to support AES-CBC. Initial support for AES-CBC is available on the Chromecast and Android N devices.

The Widevine PSSH structure will be changing to require either content_id or key_id. Please check our latest version of the Encryption API document that describes the updated PSSH format. To support 4K and UHD, additional track_types are being defined and will be available in Q3 2016.

Cloud License Service

The Proxy Integration guide has been updated to reflect the following changes:

  1. The content_id parameter is now optional in the license request payload.
  2. Content keys injected by the proxy may now be optionally encrypted during transmission.
  3. A new parameter - always_include_client_id - has been introduced for improved license renewal support.

Chrome Browser

The initiative within the W3C to improve security of Powerful Features will require streaming media playback to be conducted over HTTPS. Connections using EME must be using https by end of 2016. On a related note, this is in line with Apple’s requirement to enforce https streaming for iOS by the end of 2016.

Flash will be automatically disabled by default by the end of 2016. Firefox has recently announced a similar timeline.

We strongly recommend using SetServerCertificate when invoking EME MediaKeys to allow the Chrome platform to support the use and definition of custom user-specific values (e.g. provider client token).

As a point of clarification, the Chrome browser does not support the HLS streaming format.

The recommended security level setting for VIDEO tracks will be to specify SW_SECURE_DECODE. The only supported security level setting for AUDIO tracks is SW_SECURE_CRYPTO. Security level settings are specified by your license proxy implementation on a per track basis. The table below provides the recommended security level settings per Chrome platform.


Platform Video Audio
Desktop (PC, Mac, Linux) SW_SECURE_DECODE (L3) SW_SECURE_CRYPTO (L3)
ChromeOS SW_SECURE_DECODE (L3)
HW_SECURE_ALL (L1)
SW_SECURE_CRYPTO (L3)

It is recommended all partners test their current deployment on Chrome M50 (or later) to verify that their current implementation of security level does not impact playback of either video or audio content. If there are issues, please verify you are setting your AUDIO security levels as indicated above.

Widevine would like to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each SD, HD, UHD and Audio stream.

Platform Updates

Android

In line with Android M requirements, going forward, Android N devices will not ship with WV Classic clients. Effectively, starting with Android 6.0, there is no expectation of a Widevine Classic client to exist on any Android device.

Chromecast

As mentioned earlier on AES-CBC compatibility, Widevine support on the Chromecast has been expanded to include HLS. This requires appending additional tags to specify Widevine compatibility and PSSH - please check the Shaka Packager update in this announcement. Contact us for details if you are interested to learn more.

Roku

Widevine support is part of firmware version 7.2 with full Level 1 compatibility.

Shaka Packager

Formerly known as the eDASH Packager, we have re-branded as the Shaka Packager in-line with our Shaka Player product.

The latest 1.5.0 release incorporates support for CENC v3, HLS (Sample-AES only), HEVC, WebM (VP9) and Opus support. In addition, docker support has been expanded to include Windows, Mac OS X and Linux.

Mozilla

Firefox 47 launched (June 7th) with Widevine CDM, HTML5 and VP9 support.

Please contact us if we can assist with your DRM implementation questions.

Best,
The Widevine Team




Widevine Quarterly Partner Update- Q1 2016

Posted: April 15, 2016

We had a busy year in 2015 launching new and updated products like the iOS SDK; Shaka Player with offline playback, captioning and cast support; and key security improvements for Chrome and Android. We have a ton of exciting things planned for 2016 and look forward to sharing more details in the coming months!

As we head into spring, we thought it timely to highlight some recent updates. Our aim is to improve transparency and facilitate discussions around improving ease of use, integration and deployment of Widevine DRM.

Key Updates

HTML5 Video

Web and mobile video is growing rapidly, with watch time increasing by 60% year-on-year. As demand increases, the underlying technology is also developing rapidly. For many top media sites, HTML5 video has now replaced Flash as the preferred platform for web and mobile delivery. HTML5 video is a proven technology with billions of hours of content delivered monthly and a large and thriving ecosystem. Recent HTML5 video technology advances make it a fully-featured platform, allowing full custom player control, digital rights management (DRM), and adaptive bitrate streaming support for both on-demand and live video. Interested in learning more? Please read the Moving to HTML5 Video whitepaper.

Securing Content Delivery

There is a new initiative within the W3C to improve security of Powerful Features. This requires streaming media playback to be conducted over HTTPS. You may have already seen content specific notifications start to appear in browsers when HTTPS is not in use.

Streamlining Security Policies in Chrome

Starting with Chrome M50, the recommended security level setting for VIDEO tracks will be to specify SW_SECURE_DECODE. The only supported security level setting for AUDIO tracks is SW_SECURE_CRYPTO. Security level settings are specified by your license proxy implementation on a per track basis. The table below provides the recommended security level settings per Chrome platform.


Platform Video Audio
Desktop (PC, Mac, Linux) SW_SECURE_DECODE (L3) SW_SECURE_CRYPTO (L3)
ChromeOS SW_SECURE_DECODE (L3)
HW_SECURE_ALL (L1)
SW_SECURE_CRYPTO (L3)

It is recommended all partners test their current deployment on Chrome M50 to verify that their current implementation of security level does not impact playback of either video or audio content. If there are issues, please verify you are setting your AUDIO security levels as indicated above.

Widevine would also like to take this opportunity to reinforce our recommendation of using separate content keys to encrypt each video and audio track. In particular, the emphasis is on using separate content keys for each SD, HD and Audio stream. We will be publishing additional guidance on best practices for this topic ahead of our next quarterly update.

Shaka Player

Shaka Player v2.0 beta has been announced, including a simplified configuration interface, a new plugin architecture, support for live content, and support for all major browsers (Chrome, Edge, IE 11, Safari 9, Firefox, and Opera). Please sign up on the Shaka Player mailing list and send us your feedback!

VP9

Streaming Media published an article discussing the AOM (Alliance for Open Media) and AV1 codec, covering HTML5 video, VP9 and HEVC.

In addition, there have been recent announcements by encoding companies adopting VP9, extending support for YouTube Live:

Platform Updates

Android

We have published a guide on how to implement key rotation using mediaDrm on Android to supplement the available source code in ExoPlayer. This illustrates the capability to support live streaming. There are also a number of exciting updates planned that will be announced during Google I/O.

For device manufacturers, we have streamlined our Android CDM integration process and migrated to a repository.

Firefox

Mozilla has announced they are testing support for the Widevine CDM in Firefox Nightly. Please refer to Mozilla for updates and support for the Widevine CDM.

iOS

The distribution of the iOS CDM client has moved to a standard repository. The CWIP Portal page has been updated to reflect these changes. All certified members automatically have access based on your CWIP Portal login. We are hard at work on a major redesign of the iOS SDK. This will greatly simplify the interfaces while also providing more robust functionality.

Platform Support

Widevine Platform Support

Certified Widevine Integration Partner Training (CWIP)

Starting in Q2 of 2016, we are updating the Certified Widevine Implementation Partner (CWIP) training program with a greater focus on developers. We are also significantly increasing training capacity. Beginning in June 2016, the courses will be expanded to accommodate more than 75 students.

Beginning in Q1 2017, all Classic-certified partners will need to be retrained and recertified with the latest version of Widevine DRM to maintain CWIP certification status.

Please contact us if we can assist with your DRM implementation questions.

Best,
The Widevine Team




Widevine Release Announcement - iOS Client SDK v2.0.2

Posted: October 29, 2015

We are pleased to announce the immediate release of our Widevine iOS SDK for Modular DRM v2.0.2. You can now download the iOS SDK directly from the CWIP Portal.

Features

  • Demonstrates CDM Offline support (Download Manager and License Handling)
  • Improved Reference Player Design
  • Support for iOS 9 / XCode 7

Fixed Issues

  • UDT Improvements (Multiple PSSH Support, Timescales, sidx v2)
  • Resolved rotation problem and general playback use in reference player
  • Removal of Storyboards

Don't forget to sign up on our iOS discussion forum for feedback with our developer community. Please keep the feedback coming as your input is key!




Widevine Product Update - August 2015

Posted: August 20, 2015

Google is a strong proponent of embracing a standards-based approach for premium content delivery. Widevine is committed to open web standards and our Modular DRM technology platform utilizes EME, CENC and DASH.

We strongly recommend a transition to our Modular DRM solution and would like to take this opportunity to provide an update on our legacy Widevine Classic platform.


iOS

The latest beta release of iOS9 includes several changes that may be incompatible with our Widevine Classic client. The changes are specific to App Transport Security and multi-tasking support. While there may be existing workarounds, additional changes leading up to iOS9 being finalized could impact Widevine Classic further.

What does this mean?

The changes Apple introduced in iOS9 will likely result in compatibility issues with the Widevine Classic client for iOS. We will continue to monitor iOS9 beta releases for new changes that may impact users and will send updates as they are identified. We are encouraging partners to migrate to the Widevine CDM for iOS as soon as possible. The latest iOS SDK is now available on our CWIP portal. Widevine Classic will no longer receive updates going forward.


Android

Starting with Android 6.0 (Marshmallow), there will no longer be a tested version of the Widevine Classic client and device manufacturers are no longer required to support it.

The Widevine Classic client is tested and validated for Google-approved devices on previously released versions of Android (3.1 - 5.1).

What does this mean?

There will be no new features or updates made to the Widevine Classic client. Additionally, a device running Android 6.0 may not support Widevine Classic. For devices running Android 4.3 and earlier, you can continue to use your existing Widevine Classic solution.

Widevine Modular DRM is available on all devices running Android 4.4 (Kitkat) and later.


Desktop Browsers

Widevine Modular DRM is already available on all Google platforms (Android, AndroidTV, Chrome, Chromecast, ChromeOS,) and Opera. Native support for Widevine DRM on a browser is subject to availability of the Widevine CDM on that browser platform.

Modern browsers (Google Chrome, Microsoft Edge, Mozilla Firefox) are deprecating support for legacy plugin frameworks (like NPAPI), the Widevine Classic Media Optimizer plugin will no longer continue to function in the future. Please reach out to the respective browser teams directly for more information on CDM support.

Please contact us so that we can assist with your Modular DRM migration and let us know if you have any questions.




Widevine Release Announcement - iOS Client SDK v2.0.1

Posted: August 14, 2015

We are pleased to announce the immediate release of our Widevine iOS SDK for Modular DRM. You can now download the iOS SDK directly from the CWIP Portal. We’d like to thank everyone for their continued interest and also welcome all of our Partners.

This release is the result of countless hours of beta testing and great feedback by the participants of our Early Access program. Your feedback helped to simplify and improve the SDK which will benefit all of our Partners. We are proud of the release and will continue to update and improve the iOS SDK. Please keep the feedback coming as your input is key!

Features

  • iOS8 - iOS9 support with 64 Bit app compatibility
  • Dynamic Library and XCode 6.3+ to ease implementation
  • Reference Application and Simulator support
  • Jailbreak detection
  • Offline*
  • CDM 3.0 and OEMCrypto v9*
  • *Coming in Q4

Please contact us so that we can assist with your Modular DRM migration. You can also use our new iOS discussion forum for feedback with our developer community.