Deepfake incidents went from roughly 500,000 cases in 2023 to over 8 million in 2025. That’s a 900% increase in two years. Detection-only approaches can’t keep pace because generative models improve faster than detectors can catch up. C2PA — the Coalition for Content Provenance and Authenticity — takes a different angle: attach a cryptographically signed record of origin, tools, and edit history directly to a media file at the point of creation, so any post-signing alteration is immediately detectable. That record is called a C2PA Manifest or Content Credential. Think of it as a digital passport for content. This article covers how C2PA works at an architecture level, what a manifest actually contains, how it differs from traditional metadata, and — critically — what it cannot prove. For the broader ecosystem context, see the content provenance infrastructure overview.
What problem does C2PA solve — and what is it exactly?
Here’s the problem C2PA is solving: there’s no standardised way to confirm who created a photo, video, or document, or whether it’s been altered since creation. Synthetic content is projected to account for up to 90% of online media by 2026. Already, 74% of consumers doubt photos or videos even from trusted news outlets. That’s a trust crisis.
Traditional metadata — EXIF, IPTC — doesn’t help. Anyone can edit those fields with free tools. There’s no cryptographic binding between the metadata and the content itself. It was never built to be trusted.
C2PA is an open, royalty-free technical specification published under the Joint Development Foundation, currently at v2.3 (December 2025). The coalition includes Adobe, Microsoft, Google, Intel, Arm, BBC, Sony, and Truepic.
Two things C2PA is not: it does not detect fakes or classify content as real. It asserts positive provenance — “this content was signed by this entity at this time with these claims.” The absence of a C2PA credential says nothing definitive about authenticity.
What is a C2PA Manifest and what does it contain?
A C2PA Manifest is the core data structure. It’s a digitally signed record embedded inside a media file that documents the content’s origin, creation tools, and complete edit history.
Every manifest has a three-layer hierarchy:
- Assertions — individual statements made by the signer about the asset: “captured by device X”, “AI was used in creation”, “GPS coordinates were Y”, “edited in application Z”. Assertions can include a thumbnail, camera model, editing actions, and generative AI ingredients such as the text prompt and model details.
- Claim — the signed container that groups those assertions into a single, tamper-evident data structure.
- Claim Signature — the cryptographic proof binding the claim to the signer’s identity, created using the signer’s private key.
Here’s something worth noting: all assertions are optional by specification. No single assertion is mandatory. A valid manifest can make very few actual claims. That matters a lot when you’re evaluating what a “verified” credential actually tells you — more on that below.
The manifest also includes the full X.509 certificate chain, so verification can happen offline without contacting the original signer. Manifests are embedded using the JUMBF container format (JPEG Universal Metadata Box Format), which supports JPEG, PNG, MP4, PDF, WebP, AVIF, HEIC, and other file types.
When content is edited, the original manifest becomes an ingredient reference in the new manifest, creating a traceable provenance chain.
How is C2PA different from EXIF metadata — and why does the difference matter?
The key difference is tamper-evidence. EXIF stores descriptive information about a file — camera model, shutter speed, GPS — without any cryptographic binding. What’s written can be changed without a trace. EXIF was never built to be trusted.
C2PA binds provenance to content via cryptographic hard binding. The content is hashed using SHA-256, and that hash is included in the signed manifest. Any pixel-level change to the asset invalidates the hash. The signing format uses COSE (CBOR Object Signing and Encryption) — a well-established standard also used in passports, IoT devices, and web authentication.
“Tamper-evident” is the correct term — not “tamper-proof.” C2PA reveals if tampering occurred but cannot prevent it. As the NCSC puts it: “The smallest modification to a file creates a completely different hash value that makes changes instantly detectable.”
How does the signing process work from capture to verification?
The C2PA workflow has three stages: signing, embedding, and verification.
Stage 1 — Signing. The Claim Generator assembles assertions into a claim, signs it using the signer’s private key via COSE format, and includes the signer’s X.509 certificate from a trusted Certificate Authority. The content is hashed to create the hard binding.
Stage 2 — Embedding. The signed manifest is packaged into a JUMBF container and embedded in the media file. For unsupported formats, a sidecar file carries the manifest alongside the asset.
Stage 3 — Verification. A validator reads the manifest, checks the cryptographic signature against the certificate chain, validates the certificate against the C2PA Trust List, and verifies the hard binding hash against the current file. If the file has been altered, the hash won’t match. All required certificates travel inside the manifest, so verification requires no network call — which makes it well suited to newsrooms and low-connectivity environments.
Hardware vs cloud signing. Hardware signing at capture is the strongest trust scenario. The private key is protected inside a hardware security module and extraction is extremely difficult. The Leica M11-P (October 2023) was the first consumer camera with C2PA built in. The Google Pixel 10 signs every photo by default via the Titan M2 chip. Cloud signing enables post-capture credential attachment but introduces chain-of-custody questions about what happened between capture and the signing event.
The Trust List governs which certificates are accepted — the full story is covered in where the trust layer currently falls short. For architecture patterns on integrating C2PA signing into a cloud media pipeline, see architecture patterns for pipeline integration.
What is the difference between C2PA, Content Credentials, and the Content Authenticity Initiative?
These three terms get used interchangeably. They refer to different things.
C2PA (Coalition for Content Provenance and Authenticity) is the standards body and technical specification. It defines how manifests work, what signing means, and what verification requires.
Content Credentials is the user-facing name for C2PA Manifests — what LinkedIn and TikTok display when showing a provenance badge. When a platform says it “supports Content Credentials,” it means it reads and displays C2PA Manifests.
The Content Authenticity Initiative (CAI) is an Adobe-led coalition focused on adoption, open-source tooling, and developer education. CAI maintains the c2pa-rs Rust library (MIT licence) and the c2patool CLI.
In practice: C2PA writes the spec, CAI builds the tools, Content Credentials is the name consumers see. The most common confusion is misattributing governance — expecting CAI tooling to define the standard. The spec lives at c2pa.org. For the full ecosystem picture, see the C2PA ecosystem guide.
What can C2PA not prove — and what is the first-mile trust problem?
C2PA has structural limitations that vendor communications frequently underplay. You need to understand these before evaluating adoption.
The first-mile trust gap is the most significant structural limitation. C2PA can confirm that a specific device or software made a specific claim at a specific time. It cannot confirm the underlying content is authentic. The canonical example: a camera can sign a photo of a screen displaying a deepfake. The manifest will be cryptographically valid, the hard binding will pass, the certificate chain will verify — and the content is still fabricated. The trust model ultimately rests on signer honesty.
Metadata stripping is a practical everyday limitation. Standard C2PA manifests embedded via JUMBF are lost when a non-C2PA-aware tool resaves the file. WhatsApp, iMessage, and Facebook all re-encode images on upload, silently removing any embedded credentials. The stripped file gives no signal that credentials ever existed.
This stripping limitation is what leads to Durable Content Credentials, which combine metadata, invisible watermarking (soft binding via TrustMark), and image fingerprinting to recover provenance even after stripping. That approach is covered in how durable credentials address metadata stripping.
Additional structural limitations:
- All assertions are optional — a valid manifest can make minimal claims, providing little actionable information.
- The Trust List and conformance programme are still maturing. Only commercial Certificate Authorities — DigiCert, SSL.com — currently issue trusted signing certificates, at roughly $289/year. There’s no free CA equivalent to Let’s Encrypt for C2PA, which creates a real cost barrier for individual creators and smaller organisations.
- C2PA does not detect deepfakes or AI-generated content. It records a signer’s assertion about whether AI was used. The assertion’s truthfulness depends entirely on the signer’s honesty.
Where is the official documentation and what tooling is available?
If you’re evaluating C2PA — whether for a camera product, a media pipeline, or a publishing platform — here’s what you’d reach for.
The C2PA specification (v2.3, December 2025) is the normative reference, published royalty-free at c2pa.org.
The CAI developer learning hub at learn.contentauthenticity.org has tutorials, guides, and implementation walkthroughs for developers integrating C2PA.
c2pa-rs is the open-source Rust library (MIT licence) for reading, creating, and validating manifests — the primary reference implementation, available via the CAI GitHub organisation. c2patool is the CLI tool built on top of it for signing and inspecting manifests without writing code.
Content Credentials Verify at contentcredentials.org/verify inspects whether a file carries a valid manifest — processed entirely in-browser using WebAssembly, so files never leave the user’s device. C2PA Viewer at c2paviewer.com exposes the raw JSON manifest for technical debugging.
For architecture patterns on integrating C2PA signing into a cloud media pipeline, see architecture patterns for pipeline integration. For a complete overview of the C2PA ecosystem and how content provenance infrastructure works, see the C2PA content provenance infrastructure overview.
Frequently Asked Questions
Can C2PA tell me if a photo is real or fake?
No. C2PA records a signer’s assertions about origin, tools, and edit history. If those assertions are false, the manifest is still cryptographically valid. C2PA proves who signed a claim, not whether the claim is true.
What happens to content credentials when someone strips the metadata from an image?
Standard C2PA manifests are lost when a non-C2PA-aware tool resaves the file — WhatsApp, iMessage, and Facebook all re-encode images on upload. Durable Content Credentials address this by adding invisible watermarks (TrustMark) and image fingerprinting as backup recovery mechanisms.
Is C2PA just a fancy watermark, or is it something different?
C2PA is fundamentally different from watermarking. A watermark alters pixel data and can be cropped away. A C2PA manifest is structured metadata that doesn’t change the visual content and provides cryptographic tamper detection that watermarks can’t offer. They’re complementary — Durable Content Credentials use watermarks as a soft binding mechanism — but they solve different problems.
How much does it cost to sign content with C2PA?
A trusted signing certificate from DigiCert or SSL.com costs approximately $289 per year. Self-signed certificates are flagged as untrusted by verifiers. There’s currently no free CA equivalent to Let’s Encrypt for C2PA, which creates a cost barrier for individual creators and smaller organisations.
Which cameras currently support C2PA content credentials?
As of early 2026: Leica M11-P (hardware signing since October 2023); Google Pixel 10 (hardware-backed via Titan M2 chip, every photo signed by default); Sony α9 III and α1 II (cloud signing via Sony Imaging Edge, opt-in per shoot); Samsung Galaxy S25 (AI-edited photos only). The Nikon Z6 III had C2PA support but suspended it after a signing vulnerability led to full certificate revocation in September 2025.
Do AI image generators embed C2PA credentials?
OpenAI (DALL-E 3, Sora), Adobe Firefly, and Google Imagen embed C2PA credentials identifying AI-generated content. Midjourney does not embed C2PA credentials as of early 2026 — a notable gap in AI-generation coverage.
What is the difference between hard binding and soft binding?
Hard binding uses a SHA-256 hash computed over the file’s bytes — any change breaks it. Soft binding uses a perceptual hash or invisible watermark designed to survive minor edits and transcoding. Hard binding provides stronger tamper-evidence; soft binding provides durability at the cost of reduced security guarantees.
Is C2PA required by any regulation?
The EU AI Act (effective August 2026) requires transparency labelling for AI-generated content; C2PA’s AI assertion type directly satisfies this. The U.S. Digital Authenticity and Provenance Act (2025) mandates content provenance disclosure in federally regulated media contexts.
Can someone create a fake C2PA manifest for content they did not create?
Yes — and this has been demonstrated empirically. The Hacker Factor created a valid forged manifest attributed to a named individual using publicly available c2patool. Separately, they demonstrated that an AI-generated image could be signed by a Nikon C2PA-enabled camera, producing a valid manifest with no photographic provenance. The C2PA Trust List and certificate governance are designed to limit retroactive signing risk, but both vectors are documented and active threats.
What does it mean when a file has no C2PA manifest?
It means nothing definitive. The vast majority of content today carries no C2PA manifest. Absence of credentials does not indicate the content is inauthentic or manipulated — it simply means no signer has attached provenance metadata. Treating absence as a negative signal is a known misinterpretation.
Can C2PA manifests be verified offline?
Yes. All required certificates travel inside the manifest, so no network call is needed. Content Credentials Verify and C2PA Viewer process files entirely in-browser using WebAssembly — files never leave the user’s device. This makes offline and air-gapped verification straightforward for newsrooms and legal workflows.
