Serelay C2PA Open Source

by | Nov 24, 2021

Serelay C2PA Toolkits Now Open Source

Now released under a permissive Open Source license (MIT) Serelay has put together some tooling to get started with the C2PA ecosystem following the release of the C2PA Draft specification version 0.7 JPEGs.

These components form a whole-flow, originating from a mobile client device. However, there is nothing, with some adjustments, preventing the server operating all of this server-side. The current state of flows are:

Example flow

Starting with:

  • User selects image to create a C2PA assertion.
  • Device calculates some C2PA information for a server module to use.

Then either:

Scenario A (Server-side thumbnail generation)

  • Device requests signed C2PA information to write, providing original image.
  • Server produces full C2PA information, with embedded thumbnail data.
  • Device receives full C2PA information.
  • Device processes information and writes content to a copy of the original file.


Scenario B (Client-side thumbnail generation)

  • Device creates thumbnail for C2PA from original asset.
  • Device provides server with hash and thumbnail information points for C2PA generation.
  • Server constructs C2PA information with placeholder data as the thumbnail portion.
  • Server signs this, trusting the client-provided thumbnail hash and length.
  • Device receives data with JUMBF thumbnail placeholder data omitted.
  • Device augments JUMBF segments with real thumbnail data.
  • Device writes XMP information and thumbnail-augmented JUMBF segments to a copy of the original file.

In either scenario the Server holds the signing key, so a device does not have the ability sign.

Scenario A provides a foundation for full-generation to be performed server-side, provided it has access to the original asset.

These projects are as follows:

C2PA Node – github

A NodeJS toolkit to produce C2PA assets, either entirely, or the partial forms used by C2PA iOS and Android respectively.

C2PA Android – github

An Android toolkit to be used in conjunction with C2PA Node to produce JPEG files with C2PA Provenance data.

C2PA iOS – github

An iOS toolkit to be used in conjunction with C2PA Node to produce JPEG files with C2PA Provenance data.

C2PA Web – github

A web plugin/toolkit to validate C2PA assets in the browser.

The Node, iOS and Android have two main approaches: Full-privacy, and full-upload. Both require different kinds of trust.

Full-privacy relies on client-side trust. While the server is still the key-holder and signer, the data that it is signing is partially formed by what the client provides. Without sufficient client-side checks, validated by the server, these pose some risk. Each of the repositories for iOS and Android explain how to do this to some degree. The key benefit of this approach is that the server does not see the content of the JPEG that it is creating a provenance record for. However, depending on your choice, this may need to include additional data, such as time and/or location.

Full-file relies on the server having access to the full file at provenance creation time. This means the hashes, EXIF values and visual content are available for C2PA, and a thumbnail can be produced server side. This means the server can have a stronger confidence in the content it is signing.

These repositories will not be maintained going forward, so should you wish to use them please fork them accordingly.