C2PA 2.4
C2PA 2.4
The Coalition for Content Provenance and Authenticity (C2PA) defines how digital content records its origin and edit history through cryptographically signed manifests.
What Verbitas implements
- Manifest builder — constructs JUMBF-encoded claim structures with typed assertions
- RemoteSigner — dispatches COSE_Sign1 operations to an isolated KMS signer; the signer is the only KMS caller
- Embedder — injects manifests into JPEG APP11, PNG
caBX, and sidecar files - Parser — with 32 MiB cap, CBOR depth ≤ 32, depth-bomb protection
- Verifier — multi-signal result using the closed
VerificationStatusenum
Supported assertions
| Assertion | Description |
|---|---|
ai_generated | Content is AI-generated |
generator | Name of the generating system |
model | Model identifier used for generation |
prompt_hash | SHA-256 of the generation prompt |
created_at | ISO 8601 creation timestamp |
editor | Editor identity (editorial recipes) |
published | Publication record (editorial recipes) |
exif | EXIF metadata preservation |
Verification states
See Verification states for the complete list.
Trust list
Verbitas maintains a configurable trust list of signing certificate authorities. Enterprise tenants may configure custom trust lists via the tenant API.