imadethisup.org Retain →
07 / 09 — PROVENANCE

Sign the truth, not the lie.

Detection plays defense — it always trails generation. Provenance plays offense: cryptographically assert where an asset came from and what was done to it, before it travels. C2PA is the leading open standard. JPEG Trust is the ISO complement. Both are instrumented; both have limits.

01 · What a Content Credential actually is

A signed manifest, embedded in the asset itself.

The Content Credential is a cryptographically bound structure that records the provenance of a digital asset. It contains one or more assertions — statements about the asset, such as its origin, modifications, and use of AI tools. Each assertion is signed; the signatures chain to an X.509 certificate hierarchy with a published C2PA Trust List that covers both hardware and software issuers. [1]

The technical foundations are deliberately conservative: X.509 certificates (RFC 5280), CBOR (RFC 8949), and JUMBF (ISO 19566-5). The manifest is embedded directly in the file (not stored out-of-band), so it travels with the asset across most platforms and most transformations.[2]

Verification is open and free. Anyone can check a Content Credential at contentcredentials.org/verify — drag a file in and the public reader resolves the chain.

02 · The chain, end to end

From capture to verification — with a hash at every hop.

HASH CHAIN — sealed at each hop · resolved to the C2PA Trust List root at /verify ↓ root of trust 01 CAPTURE Camera or model signs first claim 02 EDIT Each tool appends & signs assertion 03 PUBLISH Manifest sealed inside the file 04 DISTRIBUTE Survives platform reupload where supported 05 VERIFY Public reader resolves to trust list root Manifest = JSON-LD claim set + cryptographic signature, embedded in the asset Public reader: contentcredentials.org/verify Fig. 06 · C2PA chain of custody, end to end · spec v 2.2
03 · Adoption — where Content Credentials actually appear

From cameras to social platforms, in roughly two years.

CAMERA / DEVICE Hardware capture

Sony, Leica, and Canon ship Content Credentials in select bodies. Google's Pixel 10 (September 2025) reached C2PA Conformance Assurance Level 2 — the highest tier currently defined for a mobile camera app — using its Tensor G5 SoC and Titan M2 security chip.

C2PA whitepaper, Oct 2025

GENERATIVE AI At the model

Adobe Firefly, OpenAI DALL·E 3, Microsoft Designer, and Amazon Titan Image Generator (v1 and v2) attach Content Credentials at generation time. Adobe also offers Content Authenticity for Enterprise and a Content Authenticity API.

Adobe Summit 2024

PLATFORM Distribution & display

TikTok was first social platform to attach Content Credentials to AI-generated uploads (2024). LinkedIn displays them on posts. Meta joined the C2PA steering committee. Google integrated Content Credentials into Search and into ad systems.

Adobe blog · Sept 2024

04 · What provenance is not

Honest about the limits of cryptographic authenticity.

NOT A TRUTH ORACLE It only certifies process, not content

A Content Credential states “this asset was produced by these tools, in this order.” It does not say the underlying claim is true, that the framing is fair, or that nothing was missed. Treat the manifest as a ladder, not a verdict.

NOT A CLOSED DEFENSE Adversaries don't sign their work

A signed manifest is a positive assertion by a cooperating actor. It does not attach to content from non-cooperating models, content stripped of metadata, or content that was never signed in the first place. Detection (see /research-lab) and provenance are complementary.

NOT WATERMARK-PROOF Watermarks can be removed

Saberi et al. (arXiv:2310.00076) showed a fundamental trade-off between evasion error and spoofing error for low-perturbation watermarks; high-perturbation watermarks are vulnerable to model-substitution attacks. Watermarking is a useful production signal for cooperating actors — not a closed defense.

05 · The standards-body picture

JPEG Trust is the ISO complement to C2PA.

JPEG Trust (ISO/IEC 21617) is an international standard for asserting authenticity, provenance, attribution, intellectual-property rights, and integrity throughout the life cycle of a media asset. The Core Foundation (Part 1) was approved for publication at the JPEG 105th Meeting in Berlin in October 2024. Part 3 covers watermarking. JPEG Trust is complementary to C2PA, not a competitor — both standards bodies are coordinating on interoperability through the World Standards Cooperation working group on AI watermarking, multimedia authenticity, and deepfake detection.[3]

For a survey of the broader watermarking landscape — including on-device approaches, robustness benchmarks, and known attacks — see the “Watermarking for AI Content Detection” review (arXiv:2504.03765) and Saberi et al. on the fundamental limits of detection and watermarking robustness (arXiv:2310.00076).

06 · What to do, by role

Three concrete next steps.

IF YOU PUBLISH Sign at the source

Adopt a workflow that attaches a Content Credential at capture (camera or generation tool) and preserves it through edit. Adobe Firefly, OpenAI DALL·E 3, Microsoft Designer, and Amazon Titan emit credentials by default; verify your CMS preserves them on upload.

IF YOU CONSUME Verify before you cite

Drag any image into contentcredentials.org/verify to inspect its manifest. Treat the absence of a credential as “unverified by default” rather than “therefore fake.”

IF YOU BUILD Integrate the open libraries

The reference implementations are open source under Apache-2.0: c2pa-rs (Rust) and c2pa-js (JavaScript). Both ship with example apps for signing and verification.

07 · Annotated reading list

Eight verified sources for this page.

  1. 001
    Coalition for Content Provenance and Authenticity (2024). C2PA Technical Specification 2.1. 20 September 2024. spec.c2pa.org HTML · PDF
  2. 002
    Coalition for Content Provenance and Authenticity (2025). C2PA Technical Specification 2.2. 1 May 2025. PDF · Explainer
  3. 003
    C2PA (2025). Content Credentials Whitepaper. October 2025. c2pa.org PDF
  4. 004
    Adobe (2024). Authenticity in the Age of AI — Growing Content Credentials Momentum. 18 September 2024. Adobe blog
  5. 005
    Adobe (2024). Adobe Summit 2024 — Expanding Access for Content Credentials. 26 March 2024. Adobe blog
  6. 006
    JPEG Committee (2024). JPEG Trust becomes an International Standard. JPEG 105th Meeting, Berlin, December 2024. jpeg.org press release · JPEG Trust home
  7. 007
    Saberi, M. et al. (2023). Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks. arXiv preprint. arXiv:2310.00076 — fundamental trade-offs in watermarking and detector robustness.
  8. 008
    World Standards Cooperation (2024). Standards Collaboration on AI Watermarking, Multimedia Authenticity and Deepfake Detection. WSC announcement
08 · Frequently asked

Provenance FAQ.

What is C2PA?

The Coalition for Content Provenance and Authenticity (C2PA) is an open technical standard for cryptographically signing the origin and edit history of digital content. The signed structure — called a Content Credential — is built from X.509 certificates, CBOR, and JUMBF, and embedded in the asset itself. The current public specification is version 2.2 (1 May 2025).

Who supports C2PA today?

Steering members include Adobe, Microsoft, Google, OpenAI, Meta, BBC, Sony, and Truepic. As of 2024, TikTok was the first major social platform to attach Content Credentials to AI-generated uploads; Google integrated Content Credentials into Search and ad systems; Amazon attached them to Titan Image Generator outputs; LinkedIn displays them on uploads; and Google's Pixel 10 (September 2025) reached C2PA Conformance Assurance Level 2 — the highest tier currently defined for a mobile camera app.

Is C2PA a solution to deepfakes?

It is a solution to a specific problem: identifying media produced by cooperating tools and platforms. It says “this asset was produced by these tools, in this order.” It does not say the underlying claim is true; does not address adversarial uses of non-cooperating models; does not survive every transformation; and does not retroactively apply to content that was never signed. Detection (/research-lab) and provenance are complementary, not substitutes.

Can a watermark be removed?

Often, yes — though the difficulty depends on perturbation budget. Saberi et al. (arXiv:2310.00076) showed a fundamental trade-off between watermark evasion error and spoofing error for low-perturbation methods. For high-perturbation methods, model-substitution adversarial attacks remain effective.

What is JPEG Trust?

ISO/IEC 21617 — JPEG Trust — is an international standard for asserting media authenticity, provenance, attribution, IP, and integrity throughout the life cycle of an asset. The Core Foundation (Part 1) was approved for publication at the JPEG 105th Meeting in Berlin in October 2024. Part 3 covers watermarking. JPEG Trust is complementary to C2PA, not a competitor.

Where can I verify a Content Credential?

The official public reader is at contentcredentials.org/verify. Drag a file in and the reader resolves the chain to the C2PA Trust List root. The libraries to do the same in your own application are c2pa-rs (Rust) and c2pa-js (JavaScript), both Apache-2.0 licensed.

Continue

From provenance to the reading room.

References → The Research Lab → Blog →