C2PA Signer lets you verify Content Credentials directly in Chrome without uploading files to a C2PA Signer backend. Verification runs locally in your browser — useful for newsroom desks, brand QA, legal review and developer debugging.
This guide covers installation, file verification, page scanning, report fields, optional test signing, and how to read results responsibly in production workflows.
Install the extension
Install C2PA Signer from the Chrome Web Store or visit the install page for permissions and privacy context.
Pin the extension to your toolbar for faster access during daily review. After install, open the popup once to confirm the UI loads and permissions are granted.
Permissions and privacy
C2PA Signer is designed for local-first verification. File bytes you drop into the popup are parsed in-browser — they are not sent to a C2PA Signer server for verification. Page scan reads media URLs visible on the active tab to fetch and inspect assets you choose to analyze.
Read the Privacy Policy before deploying across a newsroom or enterprise fleet. IT administrators may require Chrome policy allow-listing for the extension ID during rollout.
Verify a local file
- Click the C2PA Signer icon in the Chrome toolbar.
- Drop a supported file into the popup or use the file picker.
- Wait for local parsing — verification runs in your browser.
- Review the status badge and open the report for manifest details.
Supported verification formats: JPEG, PNG, PDF, MP4, MOV and WebM.
Tip: Compare the same file before and after CMS export or CDN delivery. If status changes from Trusted to No credentials, the pipeline stripped manifests — not an editorial issue.
Scan the current page
Use page scan to inspect visible media on the active tab. The extension lists detected assets with status badges so you can compare credentials across images on a news article, product page or social embed.
Page scan is ideal for verifying what readers actually see on a live URL — especially after publish. It complements DAM verification on masters because delivery paths may differ from stored originals.
| Method | Best for | Limitation |
|---|---|---|
| File drop | Masters, email attachments, wire downloads | Does not reflect live CDN transforms |
| Page scan | Published articles, partner pages | Only visible media; cross-origin restrictions may apply |
Interpret status badges
- Trusted — valid signature with trusted chain for configured policy.
- Signed but untrusted — valid signature, signer not trusted by policy.
- Invalid — manifest or signature failed validation.
- No credentials — no C2PA data found; not proof of falsity.
See Signed but untrusted explained when reviewers escalate untrusted wire photos that are cryptographically valid.
Open the detailed report
The report exposes manifest structure, declared actions, ingredients, signature details and certificate chain information. Key sections to review:
- Claim generator — software or service that produced the manifest.
- Actions — ordered history (c2pa.created, c2pa.edited, c2pa.generative, etc.).
- Ingredients — parent assets referenced by this file.
- Signature & certificate — issuer, validity, chain path for audit logs.
Export or share reports for editorial, legal or compliance review workflows. Store reports alongside CMS asset IDs for traceability.
Test signing (optional)
C2PA Signer supports local test signing on supported formats so developers and journalists can experiment with credentials without a production CA. Test-signed files typically verify as Signed but untrusted — expected behavior.
Use test signing to prototype CMS integrations, train editors on reading reports, and validate that your export settings preserve manifests through your toolchain.
Troubleshooting
- No credentials on a known signed file — re-export without “strip metadata” options; check if the file was screenshot or re-saved.
- Invalid after CMS publish — CMS may re-encode images; enable C2PA-preserving transforms or sign after final renditions.
- Page scan misses images — lazy-loaded or background-image CSS may require scrolling into view first.
- Untrusted on partner content — update trust list or confirm partner uses production certificates.
Limits to remember
C2PA Signer verifies provenance signals — it does not detect AI-generated content, deepfakes or misinformation by itself. Unsigned media requires other review processes. Read the full limitations page before deploying in production newsroom or compliance contexts.