C2PA content credentials
C2PA (Coalition for Content Provenance and Authenticity) is a cross-industry standard for embedding cryptographically signed provenance information in images — who created them, what edits were made, by which tools. Metawatch checks every image we fetch for a C2PA manifest, alongside the IPTC scoring.
C2PA-bearing images over time
Absolute count of images carrying a C2PA manifest across crawl runs.
As a share of all images sampled in each run:
Outcomes
A C2PA manifest can fail validation for very different reasons. We bucket each image we find into one of these outcomes so the headline number stays honest:
| Outcome | Meaning | Images |
|---|---|---|
valid | Cryptographically clean, issuer in our trust list, bytes unmodified. | 13 |
modified | Manifest signature verified, but the data hash no longer matches — the image bytes were changed after signing (typically by a CDN re-encode). | 1 |
expired | Signing certificate has expired. The image's authenticity claim can't be verified even though the manifest is structurally intact. | 1 |
untrusted_issuer | Manifest is structurally fine but the signing certificate isn't in our default trust list. Often legitimate (e.g. Adobe, Canva) — we list them here rather than as outright failures. | 0 |
other_invalid | Some other validation failure — see the validation_states breakdown below. | 0 |
Top signers
Issuers of the certificates used to sign the manifests we found.
| Signer / Issuer | Images |
|---|---|
OpenAI OpCo, LLC | 6 |
International Press Telecommunications Council | 4 |
Adobe Inc. | 3 |
Canva | 2 |
Raw validation states
The states returned by the c2pa-rs library before bucketing — useful if you want to drill into a specific failure mode.
| State | Images |
|---|---|
Valid | 13 |
Invalid | 2 |
Top sites by C2PA images
| Site | Country | Images with C2PA |
|---|---|---|
| IPTC | United Kingdom | 4 |
| Kloop | Kyrgyzstan | 2 |
| The Astana Times | Kazakhstan | 2 |
| Mauriactu | Mauritania | 2 |
| Le Pays | Chad | 2 |
| 237actu | Cameroon | 1 |
| Livedoor News | Japan | 1 |
| The Kathmandu Post | Nepal | 1 |
Detection uses the c2pa-python
binding to the Rust c2pa-rs library. Presence-first: an image is flagged as
C2PA-bearing when a JUMBF manifest can be parsed from the file. We record the
signing certificate's issuer and the validation state for further analysis,
but do not yet introspect individual c2pa.metadata or
cawg.metadata assertions (that's planned).