Maat ScanMaat Scan
← Learn

Technical

What Is C2PA? How the Industry Is Fighting Fake Images with Metadata

By Maat Scan · May 19, 2026

In July 2025, Canon pushed a firmware update to the EOS R1 and R5 Mark II that added something new to every photo: a cryptographic record of the capture, including when the shutter fired, which camera body was used, and whether the file was edited afterward.1 That record travels inside the image file itself. A year earlier, almost no consumer camera had this capability. By early 2026, dozens did.

The Problem C2PA Solves

Detection tools can score a photo. They cannot prove where it came from. Those are different questions, and they need different tools.

C2PA (the Coalition for Content Provenance and Authenticity) addresses the provenance side. Not "does this look AI-generated" but "can we verify where this file came from and what happened to it." It does this by embedding a cryptographic certificate, called a Content Credential, directly into the image file at the moment of creation or editing.

How a Content Credential Works

A C2PA Manifest, the technical name for a Content Credential, contains three layers.

Assertions are statements about the asset: when and where it was created, what editing tools were applied, and whether AI was involved in generating or modifying it.

The Claim is a structured summary that binds the assertions together into a single verifiable unit.

The Claim Signature is a cryptographic signature using the private key of the device or software that created the content, issued under X.509-based credentials.

The signature is computed using SHA2-256 hashes in a Merkle tree structure, so any modification to the image or the manifest itself immediately invalidates it.2The credential is tamper-evident: a compliant viewer can confirm offline that the signature was valid at signing time and that nothing changed afterward. No central database or internet connection is required for verification.

Who Is Behind It

C2PA was founded in February 2021 by Adobe, Arm, BBC, Intel, and Microsoft.3 The standard is now maintained by a steering committee that also includes OpenAI, Amazon, Meta, and Sony. As of January 2026, over 6,000 organizations and individuals had joined the Content Authenticity Initiative, the industry body promoting C2PA adoption.4

On the hardware side, Leica was the first to ship a C2PA-capable consumer camera with the SL3-S in January 2025. Canon followed with firmware covering the EOS R1, R5 Mark II, and several other bodies in July 2025.1 Samsung shipped C2PA support in the Galaxy S25 in early 2025, the first mainstream smartphone with built-in credential signing. Google added hardware-backed signing at C2PA Assurance Level 2 to the Pixel 10 in August 2025.5

Not every rollout went smoothly. Nikon added C2PA to the Z6 III via firmware in August 2025, then suspended the service weeks later after a signing vulnerability was discovered. As of early 2026, the service had not been restored and all previously issued certificates were revoked.5

The Stripping Problem

The biggest obstacle to C2PA working at scale is not technical. It is a platform behavior: metadata stripping.

When a C2PA-signed image is uploaded to most social media platforms, the manifest is removed during re-encoding and compression. The file that viewers eventually see carries no credential. This is not a flaw in the C2PA specification; it is how platforms have always handled image uploads, and changing it requires deliberate engineering decisions on their part.

TikTok became the first major platform to preserve and display C2PA credentials in January 2025, in partnership with the CAI.6 LinkedIn displays a CR icon on signed images. Most other major platforms do not yet preserve the manifest at all.

Until stripping becomes the exception, C2PA credentials survive reliably only when images are shared through C2PA-aware channels or verified directly from the original file before being uploaded anywhere.

How This Relates to AI Detection

C2PA and AI image detection tools are complementary. Detection asks: does this image carry statistical signatures of AI generation? C2PA asks: can we verify the chain of custody?

A valid C2PA credential from a trusted camera manufacturer, combined with a high authenticity score from a detection tool, is substantially stronger evidence than either alone. A missing credential does not mean an image is fake; most genuine photos today carry no credential. But a credential that verifies cleanly against the signer's public key is hard to forge.

The EU AI Act's Article 50, which requires machine-readable disclosure for AI-generated content depicting real people, begins enforcement in August 2026.7 C2PA is the leading open standard positioned to satisfy that requirement. Whether it will depends heavily on whether platforms start preserving manifests rather than stripping them.

Sources

  1. SoftwareSeni, "C2PA Adoption in 2026 Hardware Platforms and Verification Reality," Softwareseni.com, 2026.
  2. C2PA, "Content Credentials and C2PA Explainer," spec.c2pa.org, 2025.
  3. Content Authenticity Initiative, Wikipedia, 2025.
  4. Content Authenticity Initiative, "5,000 members: building momentum for a more trustworthy digital world," contentauthenticity.org, January 2026.
  5. AttestTrail, "C2PA Cameras & Phones 2026: Nikon, Canon, Sony, Leica, Samsung, Pixel," attesttrail.com, 2026.
  6. TrueScreen, "C2PA Standard in 2026: How It Works, Limitations & What's Missing," truescreen.io, 2026.
  7. EU AI Act, Article 50 (transparency obligations for AI-generated content), 2024.

← Previous

Japan's Portrait Rights in the Age of Generative AI

Try Maat Scan

Scan a photo now