From fdc87af8f8ace8fd377fb835bfb872f0edade18c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20V=C3=B6lcker?= Date: Thu, 21 Aug 2025 11:08:12 +0200 Subject: [PATCH 1/5] Update Export File Format wrt Media Signing When exporting a segment of a stream to MP4 there are some things to consider to keep Media Signing working. --- doc/ExportFileFormat.xml | 78 +++++++++++++++++++++++++++++++++++++++- doc/MediaSigning.xml | 10 +++--- 2 files changed, 83 insertions(+), 5 deletions(-) diff --git a/doc/ExportFileFormat.xml b/doc/ExportFileFormat.xml index 404738979..dfecd7a3a 100644 --- a/doc/ExportFileFormat.xml +++ b/doc/ExportFileFormat.xml @@ -251,7 +251,7 @@
Use case 2: Forensic analysis at court A court receives video clips from a grocery store, a street surveillance system and a metro operator. All three videos are shown in the court’s approved video player. - The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. + The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. Further, they preferably also want to validate the videos authenticity and provenance using ONVIF Media Signing.
Use case 3: Playback at players not equipped according to the present specification @@ -260,6 +260,79 @@ Export Format +
+ Requirements to Preserve Media Signing + + This checklist captures the essence for preserving the authenticity of ONVIF Media Signing + (OMS) when handling streams and exporting to MP4. Following these rules ensures that signature + verification remains intact and that tamper‐evident evidence can be trusted. + +
+ Core Rules and Bitstream Requirements + + No re-encoding + + Never transcode or recompress OMS. Use pure remuxing (-c copy in + ffmpeg) to change containers. + + Preserve NAL order and bytes + + Do not filter, rewrite or normalise the bitstream. The raw order of NAL units is + critical. + + Keep OMS SEI NAL units + + ONVIF Media Signing transmits signature information in SEI (Supplemental Enhancement + Information) frames of type user data unregistered within the codec + format (H.264 and H.265). These SEI frames do not affect the video frame decoding. The + standard ISO/IEC 14496-12 provides the user an option to remove these when creating an MP4 + file. Never strip these. + + Add OMS Certificate SEI NAL unit if present + + The device has the option to add a Certificate SEI at the beginning of a stream. This + SEI includes all necessary information to validate later SEIs. If the stream from the + device had a Certificate SEI, that SEI shall be added to the first access unit of the + exported recording. + + Treat the video elementary stream as immutable + + + + Keep all SPS/PPS/VPS, access unit delimiter (AUD), prefix/suffix SEI and + slice NALs in their original order. + Do not change frame rate, timescale, timebase or GOP structure. Avoid + frame duplication, dropping, de‑interlacing or timestamp “cleanup”. + For SEI preservation: In H.264 the SEI NAL type is 6; in HEVC, SEI + prefix/suffix types are 39/40. These must stay attached to the same access units they + originally accompanied. Do not convert or regroup SEIs (e.g., never swap HEVC prefix and + suffix). + Avoid bitstream filters. Only use a filter when absolutely certain it will + not modify or remove SEIs. Never run “cleaning” filters that remove private SEIs. + + + +
+
+ Recommendations + + Validate before and after File Export. Run OMS validation on the original source and again + on the exported MP4 to confirm integrity. + + + A simpler test is to only verify that the MP4 file has SEIs present after export. Below is + an ffmpeg command for that. + &1 | grep -i sei]]> + + + Cut at signature‑safe boundaries + + Trim at SEIs. There will always be a "dangling end" of the exported file, that is, + frames that cannot be validated since the associated SEI is not present in the exported + recording. To minimize the "dangling end", trim at frames with a signed SEI (inclusive), + that is, a SEI with a signature. +
+
Required Side Information @@ -345,6 +418,7 @@ class SurveillanceExportBox string SourceURL; string SourceMAC; string SourceLine; + UInt(8) SourceSigned; } } ]]> @@ -358,6 +432,8 @@ class SurveillanceExportBox ExportUnitTime is an integer that provides date and time designation as defined in ISO/IEC 14496-12 of when the export operation has been started. entry_count is an integer that provides the number of tracks. + + SourceSigned is an integer that provides '1' if the track is signed with ONVIF Media Signing.
Timing diff --git a/doc/MediaSigning.xml b/doc/MediaSigning.xml index 84feac7df..bc93c1646 100644 --- a/doc/MediaSigning.xml +++ b/doc/MediaSigning.xml @@ -1282,10 +1282,12 @@ Minimum requirements for client handling of a signed video stream Attached to an AU of a signed video stream may be a certificate SEI including all information that is only sent once; The certificate SEI bit is set. - This SEI should be stored for later use. Further, when exporting a video segment to file, - this certificate SEI shall be added to the first AU of that recording. - The client shall not remove any SEI-frames from the stream. It is possible to move - them to the AU including the I-frame of the following GOP the particular SEI did sign. + This SEI shall be stored for later use. Further, when exporting a video segment to + file, this certificate SEI shall be added to the first AU of that recording. + The client shall not remove any SEI-frames from the stream. It is possible to + move a signed SEI to the first AU not included in the associated (partial) GOP. + The client shall make sure that the SEIs are not removed when exporting to an + MP4 file. For a full list of requirements; See the ExportFileFormat specification.
Client side validation From 1a246d4e63efb20afee16b8208e75fb355055950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20V=C3=B6lcker?= <65532189+bjornvolcker@users.noreply.github.com> Date: Tue, 2 Sep 2025 10:20:39 +0200 Subject: [PATCH 2/5] Update doc/ExportFileFormat.xml Co-authored-by: Sriram Bhetanabottla --- doc/ExportFileFormat.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ExportFileFormat.xml b/doc/ExportFileFormat.xml index dfecd7a3a..65f62cced 100644 --- a/doc/ExportFileFormat.xml +++ b/doc/ExportFileFormat.xml @@ -251,7 +251,7 @@
Use case 2: Forensic analysis at court A court receives video clips from a grocery store, a street surveillance system and a metro operator. All three videos are shown in the court’s approved video player. - The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. Further, they preferably also want to validate the videos authenticity and provenance using ONVIF Media Signing. + The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. Further, they preferably also want to validate the authenticity and provenance of videos using ONVIF Media Signing.
Use case 3: Playback at players not equipped according to the present specification From bb12066fc0f15d440f4d05bf9cd0e94ffef7805f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20V=C3=B6lcker?= <65532189+bjornvolcker@users.noreply.github.com> Date: Wed, 3 Sep 2025 06:45:29 +0200 Subject: [PATCH 3/5] Update doc/ExportFileFormat.xml Co-authored-by: Sriram Bhetanabottla --- doc/ExportFileFormat.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/ExportFileFormat.xml b/doc/ExportFileFormat.xml index 65f62cced..e664d48be 100644 --- a/doc/ExportFileFormat.xml +++ b/doc/ExportFileFormat.xml @@ -263,9 +263,9 @@
Requirements to Preserve Media Signing - This checklist captures the essence for preserving the authenticity of ONVIF Media Signing - (OMS) when handling streams and exporting to MP4. Following these rules ensures that signature - verification remains intact and that tamper‐evident evidence can be trusted. + This checklist captures the essence for preserving the authenticity of ONVIF signed streaming media as specified in ONVIF Media Signing + (OMS) specification when exporting to MP4. Following these rules ensures that signature + verification remains intact and media evidence can be trusted as tamper-proof.
Core Rules and Bitstream Requirements From 2e7e46ea52aec93ed25e31785caf863ec5b6819e Mon Sep 17 00:00:00 2001 From: Sriram Bhetanabottla Date: Wed, 3 Sep 2025 15:18:17 +0200 Subject: [PATCH 4/5] paraphrasing as requirements text (#623) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sriram Bhetanabottla --------- Co-authored-by: Björn Völcker <65532189+bjornvolcker@users.noreply.github.com> --- doc/ExportFileFormat.xml | 46 +++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/doc/ExportFileFormat.xml b/doc/ExportFileFormat.xml index e664d48be..e6d927f9f 100644 --- a/doc/ExportFileFormat.xml +++ b/doc/ExportFileFormat.xml @@ -262,36 +262,34 @@ Export Format
Requirements to Preserve Media Signing - - This checklist captures the essence for preserving the authenticity of ONVIF signed streaming media as specified in ONVIF Media Signing - (OMS) specification when exporting to MP4. Following these rules ensures that signature - verification remains intact and media evidence can be trusted as tamper-proof. - + In order to maintain the integrity and authenticity of ONVIF streaming media signed in + accordance with the ONVIF Media Signing (OMS) specification when exporting to an MP4 + container, the following prerequisite steps shall be adhered to during the export process to + ensure signature verification remains intact and media evidence can be trusted as + tamper-proof.
Core Rules and Bitstream Requirements - - No re-encoding + No re-encoding - Never transcode or recompress OMS. Use pure remuxing (-c copy in - ffmpeg) to change containers. - - Preserve NAL order and bytes + ONVIF signed media stream captured from the device shall not be transcoded or + recompressed. Instead Use pure remuxing (-c copy in ffmpeg) to change + containers. + Preserve NAL order and bytes - Do not filter, rewrite or normalise the bitstream. The raw order of NAL units is - critical. - - Keep OMS SEI NAL units + ONVIF signed media bitstream captured from the device shall not be filtered, rewitten + or normalized, as the raw order of NAL units is critical. + Keep OMS SEI NAL units - ONVIF Media Signing transmits signature information in SEI (Supplemental Enhancement - Information) frames of type user data unregistered within the codec - format (H.264 and H.265). These SEI frames do not affect the video frame decoding. The - standard ISO/IEC 14496-12 provides the user an option to remove these when creating an MP4 - file. Never strip these. - - Add OMS Certificate SEI NAL unit if present + ONVIF signed media includes signature information in SEI (Supplemental Enhancement + Information) frames of type user data unregistered within the codec + format (H.264 and H.265) and they shall not be stripped. + As SEI frames do not affect the video frame decoding, ISO/IEC 14496-12 provides the + user an option to remove these when creating an MP4 file, but these are critical for ONVIF + signed media and hence Never strip these. + Add OMS Certificate SEI NAL unit if present - The device has the option to add a Certificate SEI at the beginning of a stream. This - SEI includes all necessary information to validate later SEIs. If the stream from the + The device has an option to add a Certificate SEI at the beginning of a stream. This + SEI includes all necessary information to validate subsequent SEIs. If the stream from the device had a Certificate SEI, that SEI shall be added to the first access unit of the exported recording. From c6672cd741180799aefaf451b0be6079665f5b5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20V=C3=B6lcker?= Date: Thu, 2 Oct 2025 13:06:12 +0200 Subject: [PATCH 5/5] Moved most of the Media Signing text to an Appendix Kept what is truly a requirement and moved the rest as recommendations to an Appendix. --- doc/ExportFileFormat.xml | 126 ++++++++++++++++++--------------------- doc/MediaSigning.xml | 2 - 2 files changed, 58 insertions(+), 70 deletions(-) diff --git a/doc/ExportFileFormat.xml b/doc/ExportFileFormat.xml index e6d927f9f..97e878617 100644 --- a/doc/ExportFileFormat.xml +++ b/doc/ExportFileFormat.xml @@ -266,70 +266,22 @@ accordance with the ONVIF Media Signing (OMS) specification when exporting to an MP4 container, the following prerequisite steps shall be adhered to during the export process to ensure signature verification remains intact and media evidence can be trusted as - tamper-proof. -
- Core Rules and Bitstream Requirements - No re-encoding - - ONVIF signed media stream captured from the device shall not be transcoded or - recompressed. Instead Use pure remuxing (-c copy in ffmpeg) to change - containers. - Preserve NAL order and bytes - - ONVIF signed media bitstream captured from the device shall not be filtered, rewitten - or normalized, as the raw order of NAL units is critical. - Keep OMS SEI NAL units - - ONVIF signed media includes signature information in SEI (Supplemental Enhancement - Information) frames of type user data unregistered within the codec - format (H.264 and H.265) and they shall not be stripped. - As SEI frames do not affect the video frame decoding, ISO/IEC 14496-12 provides the - user an option to remove these when creating an MP4 file, but these are critical for ONVIF - signed media and hence Never strip these. - Add OMS Certificate SEI NAL unit if present - - The device has an option to add a Certificate SEI at the beginning of a stream. This - SEI includes all necessary information to validate subsequent SEIs. If the stream from the - device had a Certificate SEI, that SEI shall be added to the first access unit of the - exported recording. - - Treat the video elementary stream as immutable - - - - Keep all SPS/PPS/VPS, access unit delimiter (AUD), prefix/suffix SEI and - slice NALs in their original order. - Do not change frame rate, timescale, timebase or GOP structure. Avoid - frame duplication, dropping, de‑interlacing or timestamp “cleanup”. - For SEI preservation: In H.264 the SEI NAL type is 6; in HEVC, SEI - prefix/suffix types are 39/40. These must stay attached to the same access units they - originally accompanied. Do not convert or regroup SEIs (e.g., never swap HEVC prefix and - suffix). - Avoid bitstream filters. Only use a filter when absolutely certain it will - not modify or remove SEIs. Never run “cleaning” filters that remove private SEIs. - - - -
-
- Recommendations - - Validate before and after File Export. Run OMS validation on the original source and again - on the exported MP4 to confirm integrity. - - - A simpler test is to only verify that the MP4 file has SEIs present after export. Below is - an ffmpeg command for that. - &1 | grep -i sei]]> - - - Cut at signature‑safe boundaries - - Trim at SEIs. There will always be a "dangling end" of the exported file, that is, - frames that cannot be validated since the associated SEI is not present in the exported - recording. To minimize the "dangling end", trim at frames with a signed SEI (inclusive), - that is, a SEI with a signature. -
+ tamper-proof. + Preserve NAL order and bytes + ONVIF signed media bitstream captured from the device shall not be filtered, rewritten + reencoded or normalized, as the raw format and order of NAL units is critical. + Keep OMS SEI NAL units + ONVIF signed media includes signature information in SEI (Supplemental Enhancement + Information) frames of type user data unregistered within the codec + format (H.264 and H.265) and they shall not be stripped. + As SEI frames do not affect the video frame decoding, ISO/IEC 14496-12 provides the + user an option to remove these when creating an MP4 file, but these are critical for ONVIF + signed media and hence Never strip these. + Add OMS Certificate SEI NAL unit if present + The device has an option to add a Certificate SEI at the beginning of a stream. This + SEI includes all necessary information to validate subsequent SEIs. If the stream from the + device had a Certificate SEI, that SEI shall be added to the first access unit of the + exported recording.
Required Side Information @@ -416,7 +368,6 @@ class SurveillanceExportBox string SourceURL; string SourceMAC; string SourceLine; - UInt(8) SourceSigned; } } ]]> @@ -430,8 +381,6 @@ class SurveillanceExportBox ExportUnitTime is an integer that provides date and time designation as defined in ISO/IEC 14496-12 of when the export operation has been started. entry_count is an integer that provides the number of tracks. - - SourceSigned is an integer that provides '1' if the track is signed with ONVIF Media Signing.
Timing @@ -872,7 +821,7 @@ class AdditionalUserInformationBox cert2 Certificate of the exporter mfra1 Optional movie fragment random access (must be last in file) tfra1 Track fragment random access - mfro1 Movie fragment random access offset + mfro1 Movie fragment random access offset The superscripts denotes the specification that defines the box: @@ -882,6 +831,47 @@ class AdditionalUserInformationBox 3 ETSI TS 126 244 + + Media Signing Recommendations + No re-encoding + ONVIF signed media stream captured from the device shall not be transcoded or + recompressed. Instead Use pure remuxing (-c copy in ffmpeg) to change + containers. + + Treat the video elementary stream as immutable + + + + Keep all SPS/PPS/VPS, access unit delimiter (AUD), prefix/suffix SEI and + slice NALs in their original order. + Do not change frame rate, timescale, timebase or GOP structure. Avoid + frame duplication, dropping, de‑interlacing or timestamp “cleanup”. + For SEI preservation: In H.264 the SEI NAL type is 6; in HEVC, SEI + prefix/suffix types are 39/40. These must stay attached to the same access units they + originally accompanied. Do not convert or regroup SEIs (e.g., never swap HEVC prefix and + suffix). + Avoid bitstream filters. Only use a filter when absolutely certain it will + not modify or remove SEIs. Never run “cleaning” filters that remove private SEIs. + + + + + Validate before and after File Export. Run OMS validation on the original source and again + on the exported MP4 to confirm integrity. + + + A simpler test is to only verify that the MP4 file has SEIs present after export. Below is + an ffmpeg command for that. + &1 | grep -i sei]]> + + + Cut at signature‑safe boundaries + + Trim at SEIs. There will always be a "dangling end" of the exported file, that is, + frames that cannot be validated since the associated SEI is not present in the exported + recording. To minimize the "dangling end", trim at frames with a signed SEI (inclusive), + that is, a SEI with a signature. + Revision History diff --git a/doc/MediaSigning.xml b/doc/MediaSigning.xml index bc93c1646..d53f7c8cd 100644 --- a/doc/MediaSigning.xml +++ b/doc/MediaSigning.xml @@ -1284,8 +1284,6 @@ including all information that is only sent once; The certificate SEI bit is set. This SEI shall be stored for later use. Further, when exporting a video segment to file, this certificate SEI shall be added to the first AU of that recording. - The client shall not remove any SEI-frames from the stream. It is possible to - move a signed SEI to the first AU not included in the associated (partial) GOP. The client shall make sure that the SEIs are not removed when exporting to an MP4 file. For a full list of requirements; See the ExportFileFormat specification.