C2PA Content Credentials Skill

This skill enables working with C2PA (Coalition for Content Provenance and Authenticity) metadata in media files using the c2patool command-line utility.

Prerequisites

The c2patool binary must be installed and available in the system PATH. If not installed, guide the user to:

1. Download from: https://github.com/contentauth/c2pa-rs/releases
2. Extract and add to PATH
3. Verify with: c2patool -V

Core Capabilities

1. Inspect and Analyze C2PA Manifests

Basic inspection - Display manifest JSON:

c2patool <file>

Detailed report - Show complete C2PA manifest structure:

c2patool <file> -d

File information - High-level summary:

c2patool <file> --info

When inspecting manifests:

• Parse and explain the manifest JSON structure
• Identify claims, assertions, and ingredients
• Verify signature validity and trust chains
• Extract and present provenance information clearly
• Report on content credentials including creator, edits, and AI usage

2. Sign Media Files and Generate Claims

Create signed file with manifest:

c2patool <source_file> -m <manifest.json> -o <output_file>

Sign with parent file relationship:

c2patool <source_file> -m <manifest.json> -p <parent_file> -o <output_file>

Generate external sidecar manifest:

c2patool <source_file> -s -m <manifest.json> -o <output_file>

3. Manifest Definition Structure

When creating manifests, use this JSON structure:

{
  "claim_generator": "application_name/version",
  "title": "Content Title",
  "assertions": [
    {
      "label": "c2pa.actions",
      "data": {
        "actions": [
          {
            "action": "c2pa.created"
          }
        ]
      }
    },
    {
      "label": "c2pa.creative-work",
      "data": {
        "author": [
          {
            "name": "Creator Name"
          }
        ]
      }
    }
  ],
  "ingredients": [],
  "signature": {
    "alg": "es256",
    "sign_cert": "path/to/cert.pem",
    "private_key": "path/to/private.key"
  }
}

Common assertion types:

• c2pa.actions - Document editing history
• c2pa.creative-work - Author and copyright information
• c2pa.hash.data - Content integrity hashes
• c2pa.training-mining - AI training usage permissions
• Custom assertions for application-specific metadata

Important Options

• --force/-f - Overwrite existing output files
• --config/-c - Provide manifest definition as inline JSON string
• --signer-path - Use custom signing executable (for HSM/KMS)
• --detailed/-d - Show detailed manifest structure
• --info - Display high-level file information

Security Best Practices

1. Certificate Management: Always use valid X.509 certificates from trusted sources
2. Key Storage: Recommend using Key Management Service (KMS) or Hardware Security Module (HSM)
3. Trust Validation: Verify trust chains against known trust anchors
4. Private Key Protection: Never expose private keys in manifest files or logs

Supported File Formats

C2PA supports:

• Images: JPEG, PNG, AVIF, WebP
• Video: MP4, MOV, HEIF
• Audio: MP3, WAV, M4A

Workflow Examples

Example 1: Inspect existing content

# Check if file has C2PA metadata
c2patool image.jpg

# Get detailed provenance report
c2patool image.jpg -d | jq .

Example 2: Sign new content

1. Create manifest JSON with claims
2. Generate or obtain signing certificate and key
3. Run: c2patool original.jpg -m manifest.json -o signed.jpg
4. Verify: c2patool signed.jpg --info

Example 3: Document editing workflow

1. Sign original: c2patool original.jpg -m create_manifest.json -o v1.jpg
2. Sign edited version with parent: c2patool v1.jpg -m edit_manifest.json -p v1.jpg -o v2.jpg
3. View complete history: c2patool v2.jpg -d

Troubleshooting

• If c2patool command not found, verify installation and PATH
• For signing errors, check certificate validity and key format
• Use --force to overwrite existing files
• Examine detailed output with -d flag for manifest issues

When to Use This Skill

Use this skill when the user:

• Wants to verify content authenticity or check for C2PA credentials
• Needs to examine provenance, editing history, or AI usage claims
• Wants to add C2PA manifests to their media files
• Needs to establish content credentials for publishing
• Wants to document their creative workflow with cryptographic proof
• Asks about content authenticity, provenance, or "Content Credentials"