A short flow for a clear decision

The C2PA Signer workflow is built on three practical pillars: local signing, integrity verification and visual provenance scanning. The goal is clear evidence for review, not a verdict on truth.

verified_userVerification grade terminalLocal-first workflow

Cryptographic identity

Sign with a Certificate

Embed C2PA Content Credentials directly into your assets. With supported signing material, C2PA Signer creates a manifest containing identity, action and tool metadata, then binds that manifest to the file for later integrity review.

  • check_circleImported certificate workflows
  • check_circleTest certificates for demos and development
draw
Algorithm
PS256 / ED25519
Certificate
TEST_OR_IMPORTED
Manifest
SHA-256_HASH_B3..
Technical visualization of a media file being wrapped with a C2PA manifest
fingerprintIntegrity CheckHash comparison
account_treeManifest TreeProvenance chain
descriptionMetadataIssuer and date
historyProvenanceAction history

Forensic audit

Verify a File

The local-first engine parses C2PA data without uploading your content to a C2PA Signer backend. It verifies the signature, checks file integrity and rebuilds the provenance report so reviewers can understand the available evidence.

“Integrity is about whether the observed file still matches the signed provenance evidence.”

Visual language

Scan a Page

C2PA Signer translates provenance and integrity checks into visible status indicators for media detected on the current page.

Trustedverified

Recognized source

Valid Content Credentials plus a recognized trust chain from configured trust sources.

Signed but untrustedwarning

Unrecognized certificate

The manifest is present and the signature can be valid, but the certificate is not publicly trusted.

Invalidgpp_bad

Integrity failed

C2PA data exists, but integrity or signature validation failed for the observed file.

No credentialsblock

No C2PA evidence

No C2PA evidence was detected. This does not mean the content is false or fake.

Local-first Architecture

storage

Browser-side processing

Verification and signing workflows are designed to run locally. Selected files are not uploaded to a C2PA Signer backend for analysis.

security

Certificate-aware trust

Reports separate valid signatures from recognized public trust. Test certificates remain useful for demos, not production trust.

// C2PA Manifest Definition
{
  "alg": "PS256",
  "ta_url": "https://trust.c2pa.org",
  "assertions": [
    {
      "label": "c2pa.actions",
      "data": { "actions": [{"action": "c2pa.created"}] }
    },
    {
      "label": "c2pa.metadata",
      "data": { "author": "Local System" }
    }
  ]
}