Skip to main content

Manifest definition file

C2PA Tool reads a manifest definition JSON file with a .json extension. This file defines a single manifest to be added to an asset's manifest store. In the manifest definition file, file paths are relative to the location of the file unless you specify a base_path field.

JSON format

The C2PA specification describes a manifest that has a binary structure in JPEG universal metadata box format (JUMBF). However, C2PA Tool works with a JSON manifest structure that's easier to understand and work with. It's a declarative language for representing and creating a manifest in binary format.

See also JSON manifest reference.

Adding a claim generator icon

You can specify an icon to be displayed by tools such as Inspect tool on Adobe Content Authenticity (Beta) (also called ACA Inspect) to indicate the signer of the manifest.

To do this, add a claim_generator_info property to the manifest definition. The claim_generator_info.icon property contains information on the icon:

  • icon.format specifies the MIME type of the icon file. SVG format is preferred, but you can also use PNG or JPEG formats.
  • icon.identifier specifies the name of the icon file.

For example:

"claim_generator_info": [
	{
		"name": "My App",
		"version": "0.1.0",
		"icon": {
			"format": "image/svg+xml",
			"identifier": "logo.svg"
		}
	}
],

To add the icon using C2PA Tool, make sure the icon file and the manifest definition file are in the same directory where you are running c2patool. Then, you can add the icon by using a command like this:

c2patool image_to_sign.jpg -m manifest.json -o signed_with_icon.jpg

NOTE: ACA Inspect will only display an icon for a signing certificate if the certificate can be traced back to a root certificate on the C2PA trust list.

Special properties used by C2PA Tool

The following manifest properties are specific to C2PA Tool and used for signing manifests:

  • alg: Signing algorithm to use. See Creating and using an X.509 certificate for possible values. Default: es256.
  • private_key: Private key to use. Default: es256_private.key
  • sign_cert: Signing certificate to use. Default: es256_certs.pem
  • ta_url: Time Authority URL for getting a time-stamp (for example, http://timestamp.digicert.com). A time-stamp provides a way to confirm that the manifest was signed when the certificate was valid, even if the certificate has since expired. However, the Time Authority URL requires a live online connection for confirmation, which may not always be available.

Example

The example below is a minimal manifest definition that uses a default testing certificate in the sample folder that are also built into the c2patool binary.

NOTE: When you don't specify a key or certificate in the manifest private_key and sign_cert fields, the tool will use the built-in key and cert. You'll see a warning message, since they are meant for development purposes only.

For actual use, provide a permanent key and certificate in the manifest definition or environment variables; see Creating and using an X.509 certificate.

{
    "alg": "es256",
    "private_key": "/Users/randmckinney/work/cai/c2pa-rs/cli/sample/es256_private.key",
    "sign_cert": "/Users/randmckinney/work/cai/c2pa-rs/cli/sample/es256_certs.pem",
    "ta_url": "http://timestamp.digicert.com",

    "claim_generator": "TestApp",
    "assertions": [
        {
          "label": "c2pa.actions.v2",
          "data": {
            "actions": [
              {
                "action": "c2pa.created",
                "softwareAgent": "My Demo",
                "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/digitalArt"
              }
            ],
            "allActionsIncluded": true
          }
        }
      ]
}