Content provenance is only as strong as its weakest link. A C2PA manifest signed at the point of capture carries tremendous value: it cryptographically proves where content came from, who touched it, and exactly how it changed along the way. But that proof collapses the moment a downstream tool strips or disregards it.
The reality is that every stage of the production workflow poses a distinct threat to that manifest. An encoding step can silently strip it during format conversion. Encryption can sever the cryptographic binding between the manifest and the asset. A re-encoding pass on a streaming platform can wipe it entirely. Managing these threats and keeping that provenance chain intact is advancing beyond a courtesy to creators and becoming a competitive differentiator.
Contact Us Now for C2PA Solutions
Adobe Photoshop and Lightroom also update signed manifests on every save. LinkedIn and TikTok surface content credentials to end users. Legislation in the EU, US, UK, Brazil, and several other countries is accelerating the adoption of mandatory machine-readable provenance requirements.
Creators adopting this technology will choose their downstream partners accordingly. If your editing tool, DRM service, encoding pipeline, watermarking platform, or playback system does not preserve and propagate C2PA manifest data, creators will find one that does. Additionally, each participant in the chain needs their own certificate. C2PA signing requires an X.509 certificate issued by a Certificate Authority on the C2PA Trust List.
Six Stages of C2PA Manifest Preservation
The second level is the individual creator. The Creator Assertion Working Group (CAWG) standard lets a person or organization attach a signed identity assertion to the manifest using an S/MIME certificate. This dual-signature model means the manifest carries both “what was captured and how” from the device and “who captured it” from the creator.
Action: Ensure your capture device firmware supports C2PA signing and embed a C2PA claim signing certificate. Creators and organizations should obtain a CAWG S/MIME certificate to attach their identity to every manifest.
Action: Editing tools must implement C2PA generator functionality at Assurance Level 1 (software-based signing). Every export that modifies the asset should produce a new signed claim referencing prior manifests in the manifest store (as stated previously, Adobe Photoshop and Lightroom already do this).
Action: Encoders must read the manifest store from the input asset, preserve all prior manifests, and generate a new signed claim recording the encoding action. If your encoder cannot yet sign, it must, at a minimum, pass existing manifests through without modification.
Action: DRM platforms should sign a new C2PA claim at the point of encryption, recording the protection action as an assertion and referencing prior provenance history. This requires your platform to obtain its own C2PA signing certificate.
Key point: Manifest stripping is a real-world problem. It can occur during format conversion, platform re-encoding, or through deliberate removal by an actor in the workflow. Imperceptible digital watermarking is your fallback. A watermark encoding a reference to the manifest or a content hash survives platform re-encoding and social media compression. Watermarking services can also generate their own C2PA assertion, recording the watermarking action as part of the provenance chain.
Action: Watermarking platforms should both embed a C2PA-linked watermark and generate a signed C2PA claim recording the watermarking action. Obtain a signing certificate so your platform becomes a trusted actor in the chain.
Action: Playback platforms should validate the full manifest store against the C2PA Trust List at ingestion, display content credential indicators to users, and handle assets whose manifests have been recovered via watermark.
No budget C2PA provider matches what SSL brings to the table. Budget alternatives skip the audits and security protocols that enterprise creators and regulators now require. SSL is the only provider that delivers a holistic content authenticity solution that includes:
Get started today. Test your C2PA implementation for free in SSL’s sandbox at c2pasign.com, or contact the SSL team below for a tailored media authenticity solution built around your specific workflow.
Learn more about how Sony’s Camera Authenticity Solution helps ensure the transparency of the editing history in accordance with the C2PA format verifies authenticity at a high level by providing a hardware-based in-camera digital signature for images captured with Sony-produced cameras.
The reality is that every stage of the production workflow poses a distinct threat to that manifest. An encoding step can silently strip it during format conversion. Encryption can sever the cryptographic binding between the manifest and the asset. A re-encoding pass on a streaming platform can wipe it entirely. Managing these threats and keeping that provenance chain intact is advancing beyond a courtesy to creators and becoming a competitive differentiator.
Contact Us Now for C2PA Solutions
Why Every Partner in the Chain Needs to Act Now
Adobe, Sony, Microsoft, Google, Meta, BBC, Reuters, and dozens of other organizations have committed heavily to C2PA. Several prominent camera manufacturers, including Sony, already embed signed manifests at capture. Sony’s latest Camera Authenticity Solution ver.2026.1 software update further expands its C2PA-compliant verification technology to include video in beta.Adobe Photoshop and Lightroom also update signed manifests on every save. LinkedIn and TikTok surface content credentials to end users. Legislation in the EU, US, UK, Brazil, and several other countries is accelerating the adoption of mandatory machine-readable provenance requirements.
Creators adopting this technology will choose their downstream partners accordingly. If your editing tool, DRM service, encoding pipeline, watermarking platform, or playback system does not preserve and propagate C2PA manifest data, creators will find one that does. Additionally, each participant in the chain needs their own certificate. C2PA signing requires an X.509 certificate issued by a Certificate Authority on the C2PA Trust List.
Six Stages of C2PA Manifest Preservation
Stage 1: Creation
Creation happens at two levels. The first is the capture device. C2PA Claim Signing Certificates are issued to software tools, platforms, and devices. These are the certificates that embed provenance data into the assets at the point of creation or processing. Cameras and recording equipment that implement C2PA at the hardware level operate at Assurance Level 2, with signing keys stored in a hardware security module. Sony’s Alpha cameras or even Sony’s PXW-Z300 cam recorders are a leading example of a camera that embeds a signed manifest at the moment of captureThe second level is the individual creator. The Creator Assertion Working Group (CAWG) standard lets a person or organization attach a signed identity assertion to the manifest using an S/MIME certificate. This dual-signature model means the manifest carries both “what was captured and how” from the device and “who captured it” from the creator.
Action: Ensure your capture device firmware supports C2PA signing and embed a C2PA claim signing certificate. Creators and organizations should obtain a CAWG S/MIME certificate to attach their identity to every manifest.
Stage 2: Post-Production (Editing)
Every crop, color grade, or effects layer changes the asset’s provenance. C2PA was designed for this. When an editing tool modifies an asset, it generates a new manifest that references the previous manifest as a “parent ingredient,” preserving the full chain of custody rather than overwriting it.Action: Editing tools must implement C2PA generator functionality at Assurance Level 1 (software-based signing). Every export that modifies the asset should produce a new signed claim referencing prior manifests in the manifest store (as stated previously, Adobe Photoshop and Lightroom already do this).
Stage 3: Encoding and Packaging
Encoding is a high-risk stage for manifest loss. When a transcoder rewraps an asset into a new container format such as MP4, MXF, or HLS, the original manifest can be stripped if the encoder is not C2PA-aware.Action: Encoders must read the manifest store from the input asset, preserve all prior manifests, and generate a new signed claim recording the encoding action. If your encoder cannot yet sign, it must, at a minimum, pass existing manifests through without modification.
Stage 4: Protection and Digital Rights Management (DRM)
DRM encryption modifies an asset’s binary content, which can break the cryptographic binding between the manifest and the asset if the implementation is not C2PA-aware.Action: DRM platforms should sign a new C2PA claim at the point of encryption, recording the protection action as an assertion and referencing prior provenance history. This requires your platform to obtain its own C2PA signing certificate.
Stage 5: Watermarking
Watermarking holds a uniquely powerful position in this workflow. It is the strongest available tool for manifest recovery. If any participant strips a C2PA manifest, whether accidentally during re-encoding or through deliberate tampering, an imperceptible digital watermark embedded in the asset can serve as a mechanism for recovery.Key point: Manifest stripping is a real-world problem. It can occur during format conversion, platform re-encoding, or through deliberate removal by an actor in the workflow. Imperceptible digital watermarking is your fallback. A watermark encoding a reference to the manifest or a content hash survives platform re-encoding and social media compression. Watermarking services can also generate their own C2PA assertion, recording the watermarking action as part of the provenance chain.
Action: Watermarking platforms should both embed a C2PA-linked watermark and generate a signed C2PA claim recording the watermarking action. Obtain a signing certificate so your platform becomes a trusted actor in the chain.
Stage 6: Playback
Playback is where provenance meets the audience. LinkedIn, TikTok, and Microsoft PowerPoint already display content credential indicators. Streaming platforms and content delivery networks are expected to validate manifests and surface credentials to viewers.Action: Playback platforms should validate the full manifest store against the C2PA Trust List at ingestion, display content credential indicators to users, and handle assets whose manifests have been recovered via watermark.
Why SSL for Your C2PA Integration
SSL was the first publicly trusted Certificate Authority on the C2PA conformance list, and the first to issue production-ready C2PA certificates. SSL’s dedicated team participates actively in the C2PA and CAWG working groups, helping shape the standards your implementation will follow.No budget C2PA provider matches what SSL brings to the table. Budget alternatives skip the audits and security protocols that enterprise creators and regulators now require. SSL is the only provider that delivers a holistic content authenticity solution that includes:
- WebTrust audits – Rigorous third-party audits that validate SSL’s security practices to the standard enterprise creators and regulators expect. Those audits cover the full stack of infrastructure that a production C2PA deployment depends on:
- OCSP responders for real-time certificate status checks
- Issuance APIs that deliver certificates reliably at scale
- Claim signing APIs that must be available every time a manifest is generated anywhere in the workflow.
- Hardware-backed signing infrastructure – Private keys secured in HSMs, not software, for the highest available assurance level.
- Custom API integrations – SSL’s team works directly with you to build the integration your specific workflow requires, rather than handing you a generic implementation guide.
- RFC 3161-compliant timestamping – SSL’s C2PA-accredited TSA cryptographically anchors the moment of signing so manifests stay verifiable long after a certificate expires.
- The only publicly available C2PA sandbox – Test and validate your implementation before going to production at c2pasign.com.
Get started today. Test your C2PA implementation for free in SSL’s sandbox at c2pasign.com, or contact the SSL team below for a tailored media authenticity solution built around your specific workflow.
Learn more about how Sony’s Camera Authenticity Solution helps ensure the transparency of the editing history in accordance with the C2PA format verifies authenticity at a high level by providing a hardware-based in-camera digital signature for images captured with Sony-produced cameras.
