Verify tool known certificate list
The C2PA Verify tool uses a list of known certificates (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message:
Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the name of the certificate owner and time of the claim signature.
The C2PA intends to publish an official public list of known certificates. Until then, Verify uses a temporary list. The list is subject to change and will be deprecated when C2PA publishes the official list.
Temporary known certificate list
The contentcredentials.org site hosts the following files that it uses to validate signing certificates. Together, these files form the temporary known certificate list:
- The temporary end-entity certificate list in https://contentcredentials.org/trust/allowed.pem consists of end-entity certificates. If the certificate is on this list, it is considered "known." To reduce bandwidth consumption, a version with SHA-256 hashes of the certificates is also available.
- The temporary known anchor list in https://contentcredentials.org/trust/anchors.pem contains the list of known anchor certificates. If an end-entity certificate's chain can be traced back to an anchor certificate on this list, the certificate is considered "known."
- The configuration file, https://contentcredentials.org/trust/store.cfg, specifies the Extended Key Usage (EKU) values accepted for end-entity certificates. An end-entity certificate must have at least one of the EKUs in this list to be valid.
Using the known certificate list
You can use the C2PA Tool or the CAI JavaScript library to determine whether a certificate is on the temporary known certificate list.
Using with C2PA Tool
The C2PA Tool documentation explains how to use the temporary known certificate list with the tool.
Using with the JavaScript library
To load and use these lists with the JavaScript library (c2pa-js), pass them to the read function as shown in the following TypeScript example:
import { createC2pa, type ToolkitSettings } from 'c2pa';
import wasmSrc from 'c2pa/dist/assets/wasm/toolkit_bg.wasm?url';
import workerSrc from 'c2pa/dist/c2pa.worker.min.js?url';
async function loadTrustResource(file: string): Promise<string> {
const res = await fetch(`https://contentcredentials.org/trust/${file}`);
return res.text();
}
async function getToolkitSettings(): Promise<ToolkitSettings> {
const [trustAnchors, allowedList, trustConfig] = await Promise.all(
['anchors.pem', 'allowed.sha256.txt', 'store.cfg'].map(loadTrustResource),
);
return {
trust: {
trustConfig,
trustAnchors,
allowedList,
},
verify: {
verifyTrust: true,
},
};
}
async function readFile(asset: File) {
const c2pa = await createC2pa({
wasmSrc,
workerSrc,
});
return c2pa.read(asset, {
settings: await getToolkitSettings(),
});
}
This code is for illustration purposes only. To ensure acceptable performance, production code should reuse the c2pa object and cache the output of getToolkitSettings() to avoid making unnecessary network calls.
How to add a certificate to the list
If you have an application that is in production and publicly available, you can request to add its signing certificate to the temporary known certificate list: Simply email verify-tl@c2pa.org.
We will review your request, and if it is approved, we'll ask for more details. Once we receive them and deploy the change, you will receive a confirmation email.