Think Twice Before Claiming AI Work as Your Own — What C2PA Content Credentials Prove

Think twice before you claim an AI-generated image as your own work — or assume a quick edit will scrub away where it really came from. A growing number of the tools you’re already using write a permanent, cryptographically signed record of how a file was made directly into the file itself. It’s called a C2PA Content Credential, and it survives more editing than most people expect.

I validate these manifests as part of snapWONDERS’ forensic pipeline, so I’ve spent a lot of time with what the signature actually proves — and, just as importantly, where the chain holds and where it quietly breaks.

What C2PA actually is

C2PA — the Coalition for Content Provenance and Authenticity — is an open standard. Adobe, Microsoft, Google, Leica, Nikon, the BBC, and dozens of other organisations back it. The goal: give a camera, an editing tool, or an AI generator a way to sign a permanent, verifiable record of what it did to a piece of media, embedded in the file, that travels with the file wherever it goes.

Where the record lives depends on the format. In JPEG it’s a JUMBF box inside an APP11 marker segment. In PNG it’s a dedicated caBX chunk. Either way, it’s a structured manifest sitting inside the file’s own byte structure — not a separate sidecar, not something a platform attaches after the fact.

How the signed record works

The manifest is signed using COSE — the same cryptographic signing standard behind passkeys and FIDO2 security keys. A certificate chain, rooted in a trust list, lets anyone verify the signature without ever contacting the signer.

That signature covers exactly two things:

  1. Which tool or camera signed the manifest. The certificate identifies the signer — Adobe Firefly, a specific Leica body, Google’s Pixel camera pipeline, whatever wrote the record.
  2. That the pixel data hasn’t changed since the manifest was signed. This is a hash binding — the manifest contains a cryptographic hash of the image content at signing time. If a single pixel changes afterward, the hash no longer matches and the binding breaks.

That’s the entire guarantee. It’s a strong one, but it’s a narrow one — and the narrowness is the part worth sitting with.

Flat two-column table diagram showing LHS and RHS on what cp2a can / cannot do

The field that decides what a file is declared to be

Inside the manifest sits a field called digitalSourceType:

  • digitalCapture — the content came from a camera at the moment of capture
  • trainedAlgorithmicMedia — the content is fully AI-generated
  • compositeWithTrainedAlgorithmicMedia — a photo that’s been AI-edited, not fully generated
lat technical diagram, white background, three horizontal rows stacked vertically, each row containing covering a key group in c2pa

This field is doing a lot of work. It’s a self-declaration written by whatever software created the file — which is exactly where the honesty problem starts, and exactly why the next part matters.

What happens when you edit a file that already has a manifest

This is the part most explainers skip, and it’s the actual substance behind “think twice.”

C2PA doesn’t just let a tool overwrite the previous manifest and move on. When a C2PA-aware editor opens a file that already carries a credential, it’s expected to record the prior file as an ingredient — referencing the earlier manifest by hash inside the new one, alongside an action log (opened, edited, composited, cropped, whatever actually happened). If that ingredient’s own manifest already declared trainedAlgorithmicMedia, that lineage doesn’t vanish just because you painted over a corner in a compliant editor. The new manifest typically updates digitalSourceType to compositeWithTrainedAlgorithmicMedia — AI-generated material is still a documented component, even after the edit.

In other words: for a growing set of mainstream tools, quietly editing the AI origin out of an image is no longer as simple as re-saving it.

The catch, and it matters: this only holds inside the C2PA-aware ecosystem. A tool that doesn’t read or write C2PA data — or a deliberate metadata strip — breaks the chain completely, and the file goes back to carrying no signal at all. The credential isn’t a permanent tattoo. It’s a record that only survives as long as every tool in the editing chain keeps choosing to participate.

Flat technical flow diagram, white background showcasing c2pa concepts

When a provider signs twice

The manifest isn’t always the only trail. Google pairs its C2PA manifest with an independent, pixel-level watermark called SynthID on Gemini-generated images — and its own pipeline records the two together: the manifest documents that a SynthID watermark was applied at the same moment it declares the content trainedAlgorithmicMedia. Two distinct signals, from the same generation event, doing different jobs. The manifest carries the provenance chain. The watermark is baked into the pixel data itself, and survives edits the manifest can’t — Google states it persists through ordinary EXIF and XMP changes and can’t be removed that way.

That distinction matters for the strip-it-and-walk-away scenario. Delete the entire C2PA manifest — remove the box outright — and the “SynthID applied” note goes with it, because that note lives inside the manifest you just deleted. But the actual watermark bits in the pixels were never part of the manifest. They’re a separate, independently-recoverable signal.

So a file can end up with the underlying watermark still detectable and no C2PA manifest at all. That’s a specific, meaningful finding, not just an absence: the content came from a pipeline that documents its own AI generation, and the provenance record that should have shipped with it isn’t there anymore. That’s a stronger position than a bare “no manifest,” precisely because you know — independently of the missing manifest — that one should exist.

The honest limits still apply, and they’re worth stating plainly. Detecting the watermark itself requires the provider’s own detector — Google’s SynthID verification isn’t something a third-party tool can decode from the pixels unassisted, and that’s a practical gap most forensic pipelines, this one included, don’t currently close. A missing manifest also still doesn’t tell you who removed it or why — most platforms strip all metadata automatically on upload, which produces the identical result to a deliberate strip. What a detectable watermark against a missing manifest tells you is narrower but real: the record didn’t survive from generation to here. Not proof of intent. Not nothing, either.

Who’s actually signing images right now

Adoption is real but early. Adobe Photoshop and Adobe Firefly write manifests. So does DALL-E 3. Midjourney has added voluntary support. On the hardware side, Leica’s M11-P signs images at the point of capture — the shutter press itself creates the credential. Google’s Pixel 10 does the same at the hardware level.

That’s still a small slice of the images in circulation. Most cameras in the world, most phones, most editing tools — none of them write a manifest yet.

What the credential can’t tell you

Three specific gaps, none of them edge cases:

It can’t verify the human. The certificate verifies the signing tool or device, not the person operating it. A legitimate Leica certificate says “this file was signed by a Leica M11-P” — it says nothing about who was holding the camera or what they photographed.

No manifest means no signal at all — not a red flag. The overwhelming majority of images circulating today were never signed by anything, because the camera or software that made them predates C2PA adoption, simply doesn’t implement it, or had its chain broken by a non-compliant tool as above. An image with no credential is not suspicious. It’s normal. Treating “no credential” as evidence of deception would flag almost every photo ever taken.

It says nothing about content made before the signing tool existed. A manifest can only attest to what happened from the moment it was written forward.

This is the trust-anchor problem in miniature: C2PA gives you a strong cryptographic chain from signature to pixel data, but the chain has to start somewhere, and that starting point is still a claim, not an independent fact.

Which platforms read and display it

LinkedIn now shows a small “cr” badge on images it identifies from a C2PA manifest — click it and it tells you whether the image is a verified camera capture or declared AI-generated. X has announced C2PA support and has been rolling out the same kind of display. Neither platform generates credentials of its own; both are reading and surfacing what the creating tool already wrote into the file.

What snapWONDERS reads from the manifest

When an uploaded file carries a C2PA manifest, snapWONDERS validates the full chain — not just whether a manifest is present. That means checking the COSE signature against a trust-anchor list, confirming the hash binding still matches the pixel data, walking the ingredient chain when one exists, and extracting the digitalSourceType declaration. A manifest that fails signature validation, or whose hash no longer matches the file’s actual pixels, is a materially different finding than a manifest that checks out cleanly — and both are different again from a file with no manifest at all. All three outcomes feed into the same forensic report, alongside the metadata, compression, and pixel-level signals I’ve covered in earlier articles.

The manifest, when it validates, is one strong signal among several — not a replacement for the rest of the analysis. An AI-declared manifest that’s cryptographically intact, ingredient chain and all, is about as strong a signal as forensic analysis gets. A missing manifest just means you fall back to the signals that don’t depend on anyone’s honesty.

Run C2PA validation on any image

Close

The chain is real cryptography doing real work — and for a growing slice of the tools already on your desktop, it’s harder to edit away an AI origin than most people assume. It was never built to vouch for the human behind the file, or for the billions of images that will never carry one at all.


Kenneth Springer is the founder of snapWONDERS, a digital forensic analysis platform for images and video. C2PA manifest validation — signature chain, hash binding, ingredient chain, and digitalSourceType extraction — runs automatically on every file analysed through the platform. He also built Vaultify, a steganography tool for embedding hidden content within media files. snapWONDERS forensic analysis — no account required.

Leave a Reply

Your email address will not be published. Required fields are marked *