Use C2PA tool

To use C2PA tool:

1. Get your image to be signed and the manifest to be embedded in place.
   1. Image A.jpg is the image being signed in the command below.
   2. Manifest See this link to learn more about manifests.  You are required to pass "alg": "ps256" and "sign_cert": "chain.pem" in the manifest being passed in the command. If you receive an error Invalid signing algorithm provided, try using es256 instead.

      Note

      1. Whether you need to use ps256 or es256 depends on your account level configuration.
      2. chain.pem is the default name of the certificate you download from the Content Trust Manager dashboard.
      3. Use this sample manifest file to use with the code samples provided in this reference file: manifest.json
2. Command for signing the manifest file:

   c2patool A.jpg \ 
   
   --manifest manifest.json \ 
   
   --output signed-image.jpg \ 
   
   --signer-path ./target/release/remote-signer \ 
   
   --no_signing_verify -f -d
   

3. Understand the commands:

   Command	Explanation
   C2patool A.jpg	Input file A.jpg to be signed.
   –manifest manifest.json \	JSON manifest containing metadata (claim generator, assertions, signing algorithm, certificate chain).
   –output signed-image.jpg \	Output file with embedded manifest. Original A.jpg is unchanged.
   –signer-path ./target/release/remote-signer \	Uses external signer binary c2patool pipes claim bytes into this program which returns a signature.
   –no_signing_verify -f -d	Skips verification of the signature. Useful for testing but carries risk if something goes wrong.
   -f	Forces overwrite signed-image.jpgif it already exists.
   -d	Enabled debug logging for troubleshooting.