C2PA & Media Signing
What is C2PA?
The Coalition for Content Provenance and Authenticity (C2PA) is an open technical standard that lets creators embed signed provenance metadata directly into media files.
When you open a C2PA-signed JPEG in a supporting tool (e.g. Adobe Photoshop, the Content Credentials browser extension), you see:
- Who signed the file and with what key
- When it was signed
- What tools were used to create or modify it
- Whether the file has been tampered with since signing
How Tauth implements C2PA
JPEG / PNG / PDF / Video
│
▼
┌─────────────────────────────────┐
│ C2PA Manifest (JUMBF) │
│ ├── Claim (metadata assertions)│
│ └── Claim Signature │
│ └── ES384 via Azure KV │
└─────────────────────────────────┘
│
▼
Hash anchored on Ethereum Sepolia- Tauth builds a C2PA claim containing your manifest assertions (title, creator, software agent, custom metadata).
- The claim is serialised to CBOR and hashed (SHA-384).
- The hash is sent to Azure Key Vault, which signs it with the leaf key (
leaf-test) using ES384. - The signature is embedded into the file alongside the claim.
- The file's SHA-256 hash is written to the on-chain registry contract.
Certificate chain
Root CA (tauth-root-ca-key, Azure KV)
└── Sub-CA (tauth-sub-ca-key, Azure KV)
└── Leaf cert (leaf-test, Azure KV)
└── Signs media filesCRLs and OCSP are available so any verifier can check certificate validity without calling Tauth.
Supported file types
| Format | Embedding |
|---|---|
| JPEG | JUMBF segment in APP11 |
| PNG | JUMBF chunk |
| XMP + JUMBF | |
| MP4/MOV | Side-car .c2pa file (embedded planned) |
Verification
Anyone can verify a signed file without a Tauth account:
bash
curl -X POST http://your-server:8003/v1/media/verify \
-F "file=@signed-photo.jpg"The response includes the extracted manifest and an is_valid boolean.
For on-chain verification, query the registry contract directly on Etherscan Sepolia using the file's SHA-256 hash.