DocsTrust chains
Trust chains

Understanding C2PA trust chains

A trusted C2PA result requires more than a mathematically valid signature. The signing certificate must also chain to a recognized trust source.

Trust tiers

From media signature to recognized trust source

01End-entity certificate

The certificate that signs the C2PA manifest or claim.

02Intermediate certificate

An issuer certificate that connects the signing certificate toward a trust source.

03Recognized authority

A trust anchor or recognized source used to decide public trust status.

Validation traversal

How the extension evaluates the path

StepQuestionPossible outcome
SignatureDoes the signature validate against the manifest and media?Invalid if signature or integrity validation fails.
Certificate pathCan the signing certificate be linked to an issuer chain?Signed but untrusted if the signature is valid but public trust is not recognized.
Trust sourceDoes the chain terminate in a recognized C2PA trust source?Trusted when the evidence and chain are valid and recognized.
Local-first security

Trust evaluation is designed to support local review. Media files are not uploaded to a C2PA Signer backend for trust-chain inspection.

Status mapping

Why a valid signature can still be untrusted

Signed but untrusted

The signature can be cryptographically valid while the certificate chain is not recognized as public trust.

Trusted

The media has valid C2PA evidence and the signing certificate chains to a recognized trust source.