C2PA content credentials

C2PA (Coalition for Content Provenance and Authenticity) is a cross-industry standard for embedding cryptographically signed provenance information in images — who created them, what edits were made, by which tools. Metawatch checks every image we fetch for a C2PA manifest, alongside the IPTC scoring.

Images analysed 6,845
With a C2PA manifest 15
% with C2PA 0.22%

C2PA-bearing images over time

Absolute count of images carrying a C2PA manifest across crawl runs.

04812172026-05-192026-06-032026-06-152026-07-01451515Images with C2PA

As a share of all images sampled in each run:

0.00%0.28%0.55%0.83%1.10%2026-05-192026-06-032026-06-152026-07-010.09%0.10%0.22%0.22%% with C2PA

Outcomes

A C2PA manifest can fail validation for very different reasons. We bucket each image we find into one of these outcomes so the headline number stays honest:

OutcomeMeaningImages
valid Cryptographically clean, issuer in our trust list, bytes unmodified. 13
modified Manifest signature verified, but the data hash no longer matches — the image bytes were changed after signing (typically by a CDN re-encode). 1
expired Signing certificate has expired. The image's authenticity claim can't be verified even though the manifest is structurally intact. 1
untrusted_issuer Manifest is structurally fine but the signing certificate isn't in our default trust list. Often legitimate (e.g. Adobe, Canva) — we list them here rather than as outright failures. 0
other_invalid Some other validation failure — see the validation_states breakdown below. 0

Top signers

Issuers of the certificates used to sign the manifests we found.

Signer / IssuerImages
OpenAI OpCo, LLC 6
International Press Telecommunications Council 4
Adobe Inc. 3
Canva 2

Raw validation states

The states returned by the c2pa-rs library before bucketing — useful if you want to drill into a specific failure mode.

StateImages
Valid 13
Invalid 2

Top sites by C2PA images

SiteCountryImages with C2PA
IPTC United Kingdom 4
Kloop Kyrgyzstan 2
The Astana Times Kazakhstan 2
Mauriactu Mauritania 2
Le Pays Chad 2
237actu Cameroon 1
Livedoor News Japan 1
The Kathmandu Post Nepal 1

Detection uses the c2pa-python binding to the Rust c2pa-rs library. Presence-first: an image is flagged as C2PA-bearing when a JUMBF manifest can be parsed from the file. We record the signing certificate's issuer and the validation state for further analysis, but do not yet introspect individual c2pa.metadata or cawg.metadata assertions (that's planned).