Overview
Orchid Fusion applies a digital signature to videos brought into its Library, allowing for future verification that video files have not changed after being downloaded.
This signature is generated using the same private encryption key that facilitates HTTPS connections to Fusion. Video file integrity is later verified using the corresponding public certificate.
Validating Exported Video Files
The authenticity of a video file downloaded from Fusion’s library can be confirmed using a standalone validation tool, available for download.
Acquiring the validation tool
Download the validation tool at https://download.ipconfigure.com/fusion/verify.
Referencing a Fusion server for validation
If there is a network path to the Fusion server which signed the video, the validation tool can connect to it and automatically acquire the public key for verification.
In Linux:
./verify <video file> <server address> [server port]
In Windows:
verify.exe <video file> <server address> [server port]
Directly using a public certificate for validation
If the public certificate (.pem file) from the Fusion server that signed a video file is locally available, it can be used to validate the file’s integrity. This allows validation when there is no network path to Fusion, or if the Fusion SSL keys have since changed.
In Linux:
./verify <video file> <public certificate file>
In Windows:
verify.exe <video file> <public certificate file>
Important Configuration Note: Fusion Public Certificate Renewal
If Fusion’s public key changes, then the validation tool can no longer retrieve a key from Fusion which matches the signature of previously-exported files. This means that referencing the Fusion server will no longer work to confirm the integrity of files exported prior to the key change.
In order to maintain validation capability across SSL certificate renewals, customers are encouraged to retain their old private keys.
Disabling Fusion Library Export Signatures
The default behavior of Fusion automatically signing all video files in its Library can be disabled using the following configuration property:
library.export.signing.disabled - When true, exports added to the library will NOT be digitally signed (default: false, added in 22.3.0)
Comments
0 comments
Please sign in to leave a comment.