RealConfirmationRealConfirmation

How It Works

Content Credentials use cryptographic signatures to create a tamper-evident record of a file's history. Here's how the process works from start to finish.

1. The Signing Flow

When you take a photo with a C2PA-enabled device or edit a file in compatible software, a manifest is created and cryptographically signed. This manifest travels with the file wherever it goes.

From capture to verification

1

Capture

Camera or app records content with metadata

2

Sign

Device creates a cryptographic signature

3

Distribute

File is shared with credentials attached

4

Verify

Anyone can check the signature is valid

2. The Trust Chain

Signatures alone aren't enough β€” we also need to know who signed the content. C2PA uses a certificate trust chain, similar to how HTTPS works for websites. A root certificate authority issues certificates to organizations, who use them to sign their content.

Certificate trust chain

1

Root CA

Trusted certificate authority

2

Intermediate

Organization-level certificate

3

End Entity

Device or software certificate

4

Signature

Signs the content manifest

When RealConfirmation verifies a file, it checks whether the signing certificate chains back to a trusted root. If the chain is valid, the file shows as Verified. If the signature is cryptographically valid but the certificate isn't in the trust list, it shows as Valid, Untrusted Signer.

3. The Verification Process

When you upload a file to RealConfirmation, here's what happens β€” all in your browser, with nothing sent to our servers:

What RealConfirmation does

1

Read File

Parse the file in your browser

2

Extract Manifest

Find embedded C2PA metadata

3

Validate Signature

Check the cryptographic signature

4

Check Trust

Verify certificate against trust list

5

Show Result

Display verification status and details

What Each Result Means

Verified

The file has a valid C2PA manifest signed by a trusted certificate. The content has not been tampered with since signing.

Valid, Untrusted Signer

The cryptographic signature is valid (content hasn't been tampered with), but the signing certificate is not yet in the standard trust list. This is common for newer signers like OpenAI.

No Content Credentials

The file does not contain any C2PA metadata. This doesn't mean the content is fake β€” most files today don't have credentials yet.

Invalid Credentials

The file has C2PA metadata, but the signature is broken or the content has been modified since signing. The credentials cannot be trusted.