C2PA Content Credentials Skill
This skill enables working with C2PA (Coalition for Content Provenance and Authenticity) metadata in media files using the c2patool command-line utility.
Prerequisites
The c2patool binary must be installed and available in the system PATH. If not installed, guide the user to:
- Download from: https://github.com/contentauth/c2pa-rs/releases
- Extract and add to PATH
- Verify with:
c2patool -V
Core Capabilities
1. Inspect and Analyze C2PA Manifests
Basic inspection - Display manifest JSON:
c2patool <file>
Detailed report - Show complete C2PA manifest structure:
c2patool <file> -d
File information - High-level summary:
c2patool <file> --info
When inspecting manifests:
- Parse and explain the manifest JSON structure
- Identify claims, assertions, and ingredients
- Verify signature validity and trust chains
- Extract and present provenance information clearly
- Report on content credentials including creator, edits, and AI usage
Create signed file with manifest:
c2patool <source_file> -m <manifest.json> -o <output_file>
Sign with parent file relationship:
c2patool <source_file> -m <manifest.json> -p <parent_file> -o <output_file>
Generate external sidecar manifest:
c2patool <source_file> -s -m <manifest.json> -o <output_file>
3. Manifest Definition Structure
When creating manifests, use this JSON structure:
{
"claim_generator": "application_name/version",
"title": "Content Title",
"assertions": [
{
"label": "c2pa.actions",
"data": {
"actions": [
{
"action": "c2pa.created"
}
]
}
},
{
"label": "c2pa.creative-work",
"data": {
"author": [
{
"name": "Creator Name"
}
]
}
}
],
"ingredients": [],
"signature": {
"alg": "es256",
"sign_cert": "path/to/cert.pem",
"private_key": "path/to/private.key"
}
}
Common assertion types:
c2pa.actions - Document editing historyc2pa.creative-work - Author and copyright informationc2pa.hash.data - Content integrity hashesc2pa.training-mining - AI training usage permissions- Custom assertions for application-specific metadata
Important Options
--force/-f - Overwrite existing output files--config/-c - Provide manifest definition as inline JSON string--signer-path - Use custom signing executable (for HSM/KMS)--detailed/-d - Show detailed manifest structure--info - Display high-level file information
Security Best Practices
- Certificate Management: Always use valid X.509 certificates from trusted sources
- Key Storage: Recommend using Key Management Service (KMS) or Hardware Security Module (HSM)
- Trust Validation: Verify trust chains against known trust anchors
- Private Key Protection: Never expose private keys in manifest files or logs
C2PA supports:
- Images: JPEG, PNG, AVIF, WebP
- Video: MP4, MOV, HEIF
- Audio: MP3, WAV, M4A
Workflow Examples
Example 1: Inspect existing content
# Check if file has C2PA metadata
c2patool image.jpg
# Get detailed provenance report
c2patool image.jpg -d | jq .
Example 2: Sign new content
- Create manifest JSON with claims
- Generate or obtain signing certificate and key
- Run:
c2patool original.jpg -m manifest.json -o signed.jpg
- Verify:
c2patool signed.jpg --info
Example 3: Document editing workflow
- Sign original:
c2patool original.jpg -m create_manifest.json -o v1.jpg
- Sign edited version with parent:
c2patool v1.jpg -m edit_manifest.json -p v1.jpg -o v2.jpg
- View complete history:
c2patool v2.jpg -d
Troubleshooting
- If
c2patool command not found, verify installation and PATH
- For signing errors, check certificate validity and key format
- Use
--force to overwrite existing files
- Examine detailed output with
-d flag for manifest issues
When to Use This Skill
Use this skill when the user:
- Wants to verify content authenticity or check for C2PA credentials
- Needs to examine provenance, editing history, or AI usage claims
- Wants to add C2PA manifests to their media files
- Needs to establish content credentials for publishing
- Wants to document their creative workflow with cryptographic proof
- Asks about content authenticity, provenance, or "Content Credentials"