Cryptographic provenance
C2PA 2.4 manifests, signed at scale.
The Coalition for Content Provenance and Authenticity (C2PA) defines how digital content records its origin and edit history through cryptographically signed manifests. Verbitas builds, signs, embeds, parses, and verifies them as part of a layered provenance stack—not as a single “authenticity” verdict.
What Verbitas implements
- —Manifest builder — JUMBF-encoded claim structures with typed assertions
- —RemoteSigner — COSE_Sign1 via an isolated KMS signer; only the signer calls KMS
- —Embedder — JPEG APP11, PNG
caBX, and sidecar manifests - —Parser — 32 MiB cap, CBOR depth ≤ 32, depth-bomb protection
- —Verifier — multi-signal result using the closed
VerificationStatusenum
Supported assertions
| Assertion | Description |
|---|---|
| ai_generated | Content is AI-generated |
| generator | Name of the generating system |
| model | Model identifier used for generation |
| prompt_hash | SHA-256 of the generation prompt |
| created_at | ISO 8601 creation timestamp |
| editor | Editor identity (editorial recipes) |
| published | Publication record (editorial recipes) |
| exif | EXIF metadata preservation |
Sign with AI generation recipe (example)
curl -X POST https://api.verbitas.io/v1/sign \ -H "Authorization: Bearer $VERBITAS_API_KEY" \ -H "Idempotency-Key: $(uuidgen)" \ -F "[email protected]" \ -F "recipe=image-genai-v1" # Signals typically include c2pa + watermark layer (e.g. trustmark)
Trust list
Verbitas maintains a configurable trust list of signing certificate authorities. Enterprise tenants may configure custom trust lists via the tenant API.
We do not prove that depicted events are “true”; we expose explainable verification states. See docs for verification states and compliance positioning.
Layer cryptographic provenance with watermarks.
C2PA plus durable watermarking and soft-binding give you overlapping signals—not a single point of failure.