Update Export File Format wrt Media Signing

doc/ExportFileFormat.xml

@@ -251,7 +251,7 @@
     <section>
       <title>Use case 2: Forensic analysis at court</title>
       <para>A court receives video clips from a grocery store, a street surveillance system and a metro operator. All three videos are shown in the court’s approved video player.</para>
-      <para>The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic.</para>
+      <para>The judges want to see the suspect in all three video clips with exact time information. They also want to have information when the video clips have been exported and whether the video sequence is complete and authentic. Further, they preferably also want to validate the authenticity and provenance of videos using ONVIF Media Signing.</para>
     </section>
     <section>
       <title>Use case 3: Playback at players not equipped according to the present specification</title>
@@ -260,6 +260,29 @@
   </chapter>
   <chapter>
     <title>Export Format</title>
+    <section>
+      <title>Requirements to Preserve Media Signing</title>
+      <para>In order to maintain the integrity and authenticity of ONVIF streaming media signed in
+        accordance with the ONVIF Media Signing (OMS) specification when exporting to an MP4
+        container, the following prerequisite steps shall be adhered to during the export process to
+        ensure signature verification remains intact and media evidence can be trusted as
+        tamper-proof.</para>
+      <para><emphasis role="bold">Preserve NAL order and bytes</emphasis></para>
+      <para> ONVIF signed media bitstream captured from the device shall not be filtered, rewritten
+        reencoded or normalized, as the raw format and order of NAL units is critical.</para>
+      <para><emphasis role="bold">Keep OMS SEI NAL units</emphasis></para>
+      <para> ONVIF signed media includes signature information in SEI (Supplemental Enhancement
+        Information) frames of type <literal>user data unregistered</literal> within the codec
+        format (H.264 and H.265) and they shall not be stripped.</para>
+      <para>As SEI frames do not affect the video frame decoding, ISO/IEC 14496-12 provides the
+        user an option to remove these when creating an MP4 file, but these are critical for ONVIF
+        signed media and hence <emphasis role="bold">Never strip these.</emphasis></para>
+      <para><emphasis role="bold">Add OMS Certificate SEI NAL unit if present</emphasis></para>
+      <para> The device has an option to add a Certificate SEI at the beginning of a stream. This
+        SEI includes all necessary information to validate subsequent SEIs. If the stream from the
+        device had a Certificate SEI, that SEI shall be added to the first access unit of the
+        exported recording.</para>
+    </section>
     <section>
       <title>Required Side Information</title>
       <para>
@@ -798,7 +821,7 @@ class AdditionalUserInformationBox
                 <emphasis role="bold">cert</emphasis><superscript>2</superscript>       Certificate of the exporter
 <emphasis role="bold">mfra</emphasis><superscript>1</superscript>                       Optional movie fragment random access (must be last in file)
     <emphasis role="bold">tfra</emphasis><superscript>1</superscript>                   Track fragment random access
-    <emphasis role="bold">mfro</emphasis><superscript>1</superscript>                    Movie fragment random access offset
+    <emphasis role="bold">mfro</emphasis><superscript>1</superscript>                   Movie fragment random access offset
 </programlisting>
     <para>The superscripts denotes the specification that defines the box:</para>
     <para>
@@ -808,6 +831,47 @@ class AdditionalUserInformationBox
     <para>
       <superscript>3</superscript> ETSI TS 126 244</para>
   </appendix>
+  <appendix>
+    <title>Media Signing Recommendations</title>
+    <para><emphasis role="bold">No re-encoding</emphasis></para>
+    <para>ONVIF signed media stream captured from the device shall not be transcoded or
+      recompressed. Instead Use pure remuxing (<literal>-c copy</literal> in ffmpeg) to change
+      containers.</para>
+    <para>
+      <emphasis role="bold">Treat the video elementary stream as immutable</emphasis>
+    </para>
+    <para>
+      <itemizedlist>
+      <listitem><para>Keep all SPS/PPS/VPS, access unit delimiter (AUD), prefix/suffix SEI and
+        slice NALs in their original order.</para></listitem>
+      <listitem><para>Do not change frame rate, timescale, timebase or GOP structure. Avoid
+        frame duplication, dropping, de‑interlacing or timestamp “cleanup”.</para></listitem>
+      <listitem><para>For SEI preservation: In H.264 the SEI NAL type is 6; in HEVC, SEI
+        prefix/suffix types are 39/40. These must stay attached to the same access units they
+        originally accompanied. Do not convert or regroup SEIs (e.g., never swap HEVC prefix and
+        suffix).</para></listitem>
+      <listitem><para>Avoid bitstream filters. Only use a filter when absolutely certain it will
+        not modify or remove SEIs. Never run “cleaning” filters that remove private SEIs.</para>
+      </listitem>
+      </itemizedlist>
+    </para>
+    <para>
+      Validate before and after File Export. Run OMS validation on the original source and again
+      on the exported MP4 to confirm integrity.
+    </para>
+    <para>
+      A simpler test is to only verify that the MP4 file has SEIs present after export. Below is
+      an ffmpeg command for that.
+      <programlisting><![CDATA[ffmpeg -i outSigned.mp4 -c copy -bsf:v trace_headers -f null - 2>&1 | grep -i sei]]></programlisting>
+    </para>
+    <para>
+      <emphasis role="bold">Cut at signature‑safe boundaries</emphasis>
+    </para>
+    <para>Trim at SEIs. There will always be a "dangling end" of the exported file, that is,
+      frames that cannot be validated since the associated SEI is not present in the exported
+      recording. To minimize the "dangling end", trim at frames with a signed SEI (inclusive),
+      that is, a SEI with a signature.</para>
+  </appendix>
   <appendix role="revhistory">
     <title>Revision History</title>
     <para />

doc/MediaSigning.xml

@@ -1282,10 +1282,10 @@
       <title>Minimum requirements for client handling of a signed video stream</title>
       <para>Attached to an AU of a signed video stream may be a certificate SEI
         including all information that is only sent once; The certificate SEI bit is set.
-        This SEI should be stored for later use. Further, when exporting a video segment to file,
-        this certificate SEI shall be added to the first AU of that recording.</para>
-      <para>The client shall not remove any SEI-frames from the stream. It is possible to move
-        them to the AU including the I-frame of the following GOP the particular SEI did sign.</para>
+        This SEI shall be stored for later use. Further, when exporting a video segment to
+        file, this certificate SEI shall be added to the first AU of that recording.</para>
+      <para>The client shall make sure that the SEIs are not removed when exporting to an
+        MP4 file. For a full list of requirements; See the ExportFileFormat specification.</para>
     </section>
     <section xml:id="section_ajs_njq_bwb">
       <title>Client side validation</title>