Skip to main content

Use C2PA tool

To use C2PA tool:

  1. Get your image to be signed and the manifest to be embedded in place.

    1. Image

      A.jpg is the image being signed in the command below.

    2. Manifest

      See this link to learn more about manifests.  You are required to pass "alg": "ps256" and "sign_cert": "chain.pem" in the manifest being passed in the command. If you receive an error Invalid signing algorithm provided, try using es256 instead.

      Note

      1. Whether you need to use ps256 or es256 depends on your account level configuration.  

      2. chain.pem is the default name of the certificate you download from the Content Trust Manager dashboard. 

      3. Use this sample manifest file to use with the code samples provided in this reference file: manifest.json

  2. Command for signing the manifest file:

    c2patool A.jpg \ 

 --manifest manifest.json \ 

 --output signed-image.jpg \ 

--signer-path ./target/release/remote-signer \ 

 --no_signing_verify -f -d

  3. Understand the commands:

    Command

    Explanation

    C2patool A.jpg

    Input file A.jpg to be signed.

    --manifest manifest.json \

    JSON manifest containing metadata (claim generator, assertions, signing algorithm, certificate chain).

    --output signed-image.jpg \

    Output file with embedded manifest. Original A.jpg is unchanged.

    --signer-path ./target/release/remote-signer \

    Uses external signer binary c2patool pipes claim bytes into this program which returns a signature.

    --no_signing_verify -f -d

    Skips verification of the signature. Useful for testing but carries risk if something goes wrong.

    -f

    Forces overwrite signed-image.jpg if it already exists.

    -d

    Enabled debug logging for troubleshooting.

In this section: