I think I've gotten a slightly better understanding of what Youtube is up to with this enciphered signature nonsense, and I'm trying a new method of dealing with it.

If you send me the errors printed for any videos that it can't download, that will be very helpful.

I think that what's going on is not that the ciphers are keyed off of the length of the signature, but rather, than they are just periodically changing the cipher algorithm, so the only way to know what algorithm to use is to have hardcoded knowledge of what is implemented in whatever version of "html5player.js" is getting loaded today (currently "html5player-vfl_ymO4Z.js".)

This means that every time they change the algorithm, I'll have to update the code in youtubedown. I don't know how frequently they're doing that, but that's some bullshit.

Maybe there's a way to parse this out from the Javascript, but since they've obfuscated and minimized it, the name of the decipherment routine changes.

I still have no idea how the signatures in get_video_info are to be deciphered. If there's a clue in there as to what algorithm is in use, I haven't spotted it.

Let me know if you find any that still don't work.

Great googly-moogly, that was a pain in the ass!

There's a get_video_info that tells you the URLs for the various resolutions of video data of a Youtube clip, in JSON form. Back in 2012, they changed it so that you had to take the provided "sig=" parameter and append it to the video URL before it would work. This signature appears to be a hash of some of the parameters to the URL (similar to what OAuth does) and the video-data URLs give you a 403 without it.

Within the last few months, they've started rolling out a new glitch where sometimes the signature (which is now "s=" instead of "sig=") is tagged with "use_cipher_signature", and... it's enciphered. Just enciphered. No actual crypto: simply a character-position-swapping cipher! These enciphered sigs come in lengths from 82 to 88 bytes, and you have to re-order and drop characters in particular ways to get them down to the 81-byte original signature. Each length seems to have a different algorithm, unless there's an overarching pattern that I haven't spotted.

It's purely security-through-obscurity! What a dick move.

Anyway, there's another kink on top of this: the enciphered signatures in the JSON don't work. The info about URL sources exists in both the get_video_info JSON, and also inside the HTML page itself, embedded as JavaScript. It's the same information, but with slightly different URLs and corresponding signatures. Obviously parsing the JSON is easier and saner than scraping JavaScript out of an HTML page, but... the URL/signature pairs in the JSON don't work, while the URL/signature pairs in the JavaScript do. So when you load the JSON, and find that the signature is enciphered, you have to punt on that data you already have and fall back on re-parsing the HTML instead.

What is this I don't even.

For laughs, check out the decipher_sig() function.

Now I have to wait for Miro to play catch-up and deploy a similar fix. I'm not holding my breath, because they still haven't released even a nightly build that includes the fix for downloading restricted Vimeo videos that I explained to them over a year ago. Sigh.

Previously.