We need a sane approach to encrypted signatures

[FiloSottile]

We need a good way to handle:

• automatic tests to look for new algos
• the errors when new algos come up or when they change (UnavailableVideoError sucks), making it easy for the user to report useful info
• the process of reversing on our side
• the way to add and distribute them (should we make a fastlane for these? download the algos automatically?)

[FiloSottile]

The UnavailableVideoError are caused by 403 HTTP errors...

[plfort]

I am using the "_decrypt_signature" function from youtube extractor in an Android app, but since it changes all the time I needed a different approach (to avoid to push a new release on every change).
I decided to use JSON to describe the algorithm then to "compile" it to decrypt the signature.
Here is the JSON file : https://github.com/plfort/ytdecrypt/blob/master/json/youtube-dl.json
And the repo : https://github.com/plfort/ytdecrypt
With this approach, it is pretty simple to describe and update the algorithm for all languages.

In addition, I wrote a simple class "YoutubeSelenium.java" for test automation, you need to provide videos id through "addYoutubeId" and start testing with "execute". It produces a simple HTML page with test results in "testResult" folder.

Do you have any videos to test all signatures length ?

This is rather a draft, the code can be greatly improved.

[np1]

Hi, previously I also copied the _decrypt_signature function to use in my project, pafy (python api for youtube). It resulted in too many updates, so recently I wrote some python code to use regexp's to extract and parse the javascript decryption functions and process the signatures in python. This way does not use eval/exec (which I prefer not to use) and has worked for the last few signature changes. Feel free to take a look for ideas in using with your Android app. https://github.com/np1/pafy/blob/master/pafy.py#L41-L119

[plfort]

Hello !
I saw this approach here #1208, it is an very interesting solution !
Thank you, I will take a look !

[np1]

Yes I have seen that too. It's somewhat different, it generates python code from the javascript code. It could potentially facilitate an arbitrary code execution type attack but it is more versatile and requires less processing of the original javascript. Both approaches have their advantages/disadvantages.

[phihag]

@dentex Thanks, but we just forgot to close this issue. We have automatic signature extraction for quite a while.

[dentex]

Oh! Great.
Bye.