Signing your first asset with the C2PA Tool

Content Credentials are a new kind of tamper-evident metadata that allows the end consumer to inspect the provenance of an asset. The provenance often includes information about how the asset was created and what modifications have occurred. The way we maintain this secure provenance is by adding a manifest to the asset’s manifest store when it is created and for each modification. The manifest contains assertions that describe the nature of the changes that occurred to the asset. Each time a new manifest is added to the asset’s manifest store, it receives a new digital signature over the content and metadata. We call this “signing the asset” for short.

About the C2PA Tool

The C2PA Tool is a command line application, built on c2pa-rs, that provides simple access to many of the most common features needed to sign and verify assets. It allows you to:

  • Read and validate C2PA manifests from media files
  • Add C2PA manifests to supported media files
  • Add CAWG identity assertions to media files
  • Generate detailed c2pa manifest reports

Installing the C2PA Tool

There are a few ways to install the c2patool, but for this tutorial, we are going to use a pre-compiled binary. This is available for Mac, Windows, and Linux. Here are links to the three options:

Precompiled binaries

Once downloaded, extract the archive to a convenient location. From there, you will want to open that folder in a code editor like VS Code.

Handle macOS Security Settings

When you first try to run c2patool, macOS will may block it because it's downloaded from the internet. Try running the tool in Terminal:

c2patool --version

If you see a security warning that says "Apple could not verify “c2patool”..." Click Done to dismiss the warning. Then open System Settings > Privacy & Security. Then scroll down and look for a message that says "c2patool was blocked to protect your mac". Click Allow Anyway. When you run c2patool again, click "Open Anyway".

What’s in the box?

Top level directory

  • c2patool - This is the binary executable for validating and adding C2PA data to media files.
  • README.md - Primary documentation covering installation, usage, and getting started with the tool.
  • CHANGELOG.md - Version history and release notes.

Sample directory

  • image.jpg - Unsigned test image
  • C.jpg - Signed test image
  • es256_certs.pem - ES256 certificate chain
  • es256_private.key - ES256 private key
  • ps256.pem - PS256 private key
  • ps256.pub - PS256 public key
  • allowed_list.pem - List of trusted end entity certificates
  • trust_anchors.pem - List of trusted root certificates
  • test.json - Example manifest definition file
  • store.cfg - OID definitions

Signing an asset

In our example in the video, we sign our first asset using the included manifest definition file. We won’t be configuring it in this first lesson, but we’ll cover configuration in greater detail in future lessons.

# c2patool command to sign the image

./c2patool sample/image.jpg -m sample/test.json -o signed.jpg

Getting more help

This is the first video in an ongoing series, so we will be covering the topics here in great depth in the future. You can also access the CAI Docs to learn more about installing the C2PA Tool. If you have questions about this video, there is a forum set up on the CAI Discord for each video. You can access discussion for this video here. We would love to see your questions there!

Up next

Configuring C2PA Tool Settings

An exploration of the C2PA manifest structure and configuring the c2patool using a settings.toml file and a manifest definition file.