# Content authenticity with C2PA manifests
When you create MP4 outputs with AWS Elemental MediaConvert, you can optionally embed a C2PA manifest to provide content provenance and authenticity for your media. C2PA (Coalition for Content Provenance and Authenticity) is a standardized method for providing verifiable information about the origin and history of digital content.
C2PA manifests help address the growing issue of misinformation and deepfakes by embedding verifiable information into media files. This information creates a traceable record of the content's origin and modifications.
Some reasons to include C2PA manifests in your workflow might include:
+ Provide verifiable information about a media file's transcoding history.
+ Allow downstream systems to verify the authenticity of your content.
+ Support transparency initiatives for digital media.
For more information about content authenticity and C2PA, see: [Content Authenticity Initiative](https://contentauthenticity.org/) and [C2PA specification](https://c2pa.org/specifications/specifications/2.2/index.html)
**Topics**
+ [Configuring a job with a C2PA manifest](c2pa-manifest-use.md)
+ [Requirements for C2PA manifests](c2pa-manifest-requirements.md)
+ [C2PA manifest structure](c2pa-manifest-structure.md)
+ [Verifying C2PA manifests](c2pa-manifest-verification.md)
# Configuring a job with a C2PA manifest
To include a C2PA manifest in your MP4 output, you need to configure your job settings with the necessary parameters for signing and embedding the manifest.
## MediaConvert console
To include a C2PA manifest in an MP4 output by using the MediaConvert console:
1. In the **Output groups** section, add a **File** output group.
1. In **Output settings**, set **Container** to **MPEG-4 container**.
1. Expand **MPEG-4 container settings**.
1. For **C2PA manifest**, choose **Include**.
1. For **Certificate secret**, enter the name or ARN of the Secrets Manager secret that contains your C2PA public certificate chain in PEM format.
1. For **Signing KMS key**, enter the ID or ARN of the AWS KMS key used to sign the C2PA manifest.
## API, SDK, or AWS Command Line Interface (AWS CLI)
To include a C2PA manifest by using the API, SDK, or AWS Command Line Interface (AWS CLI), include the following in your MP4 container settings. Replace the example ARNs of the **Certificate secret** and **Signing KMS key** with your ARNs:
```
...
"OutputGroups": [{
"Name": "File Group",
"OutputGroupSettings": {
"Type": "FILE_GROUP_SETTINGS",
"FileGroupSettings": {}
},
"Outputs": [{
"VideoDescription": {...},
"AudioDescriptions": [...],
"ContainerSettings": {
"Container": "MP4",
"Mp4Settings": {
"C2paManifest": "INCLUDE",
"CertificateSecret": "arn:aws:secretsmanager:us-west-2:111122223333:secret:c2pa-certificate-abc123",
"SigningKmsKey": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
}]
}]
...
```
# Requirements for C2PA manifests
To include C2PA manifests in your MediaConvert outputs, you need the following:
**MP4 container**
C2PA manifests are only supported for MP4 outputs.
**C2PA certificate**
A public certificate chain in PEM format stored in Secrets Manager. The certificate chain should include the signer's certificate and all intermediate certificates, but not the root certificate.
For information about obtaining C2PA-compatible certificates, see [https://opensource.contentauthenticity.org/docs/signing/get-cert](https://opensource.contentauthenticity.org/docs/signing/get-cert)
For information about Secrets Manager, see the [Secrets Manager user guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
**AWS KMS key**
An AWS KMS key with ECDSA\$1SHA\$1256 signing capability. This key is used to sign the C2PA manifest. Currently, MediaConvert only supports the ES256 (ECDSA with SHA-256) signing algorithm.
For information about AWS KMS, see the [AWS KMS user guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
**IAM permissions**
Your MediaConvert service role must have permissions to access the specified Secrets Manager secret and AWS KMS key. Add the following permissions to your service role:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:Sign",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:c2pa-certificate-abc123"
}
]
}
```
**Size limitations**
The C2PA manifest has a size limit of 32KB. If your certificate chain or other manifest components exceed this limit, the job will fail with an error.
# C2PA manifest structure
When you embed a C2PA manifest in your MP4 output, MediaConvert generates a manifest with the following components:
**Claim generator information**
Identifies MediaConvert as the service that generated the manifest.
**Format**
Specifies the media format (video/mp4).
**Assertions**
Includes statements about actions performed on the content, such as:
+ `c2pa.opened`: Indicates the content was opened for processing
+ `c2pa.transcoded`: Indicates the content was transcoded
**Asset hash**
A cryptographic hash of the media content to verify its integrity. MediaConvert uses the SHA-256 hashing algorithm for asset validation.
**Digital signature**
A signature created with your KMS key that verifies the authenticity of the manifest. The signature includes a timestamp token from DigiCert's timestamp authority (http://timestamp.digicert.com) to ensure long-term signature validation.
The manifest is embedded in the MP4 file using a standard C2PA UUID box, placed after the FTYP box and before the MOOV box.
**Note**
If your input file already contains C2PA manifests, MediaConvert does not preserve them in the output. Instead, it generates a new manifest.
# Verifying C2PA manifests
After creating MP4 outputs with C2PA manifests, you can verify the manifests using C2PA-compatible tools. These tools can extract and validate the manifest, including checking the digital signature and asset hash.
A properly validated C2PA manifest confirms that:
+ The manifest was signed by the specified certificate
+ The content has not been modified since the manifest was created
+ The actions and assertions in the manifest are intact
For more information about C2PA and available verification tools, see the [C2PA website](https://c2pa.org). You can use the open-source [c2patool](https://github.com/contentauth/c2pa-rs/tree/main/cli) to verify C2PA manifests in your media files. For example:
```
c2patool example.mp4 --info
```
A successful validation will show output similar to:
```
$ c2patool example.mp4 --info
Information for example.mp4
Manifest store size = 32000 (0.56% of file size 5705967)
Validated
One manifest
```
For more detailed information about the manifest contents, use the `--detailed` flag:
```
c2patool example.mp4 --detailed
```
The following is an example output from c2patool:
```
$ c2patool example.mp4 --detailed
{
"active_manifest": "urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da",
"manifests": {
"urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da": {
"claim": {
"dc:title": "example.mp4",
"dc:format": "video/mp4",
"instanceID": "xmp:iid:190fb451-7dc4-4878-b0d2-512d9b1c5dab",
"claim_generator": "mediaconvert/1.0",
"claim_generator_info": [
{
"name": "MediaConvert",
"version": "1.0",
"org.cai.c2pa_rs": "0.39.0"
}
],
"signature": "self#jumbf=/c2pa/urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da/c2pa.signature",
"assertions": [
{
"url": "self#jumbf=c2pa.assertions/c2pa.actions",
"hash": "P2+zrSTu2U5aGo4mNC35EWEM7vjfLho/2tTKmZ+ls+k="
},
{
"url": "self#jumbf=c2pa.assertions/c2pa.hash.bmff",
"hash": "majeRA6voTIMvHShWBR5Vqg7e4c7dVFsfTbezIzn63o="
}
],
"alg": "sha256"
},
"assertion_store": {
"c2pa.actions": {
"actions": [
{
"action": "c2pa.opened"
},
{
"action": "c2pa.transcoded"
}
]
},
"c2pa.hash.bmff": {
"alg": "sha256",
"hash": "BHZI6ml1LqBf2xLaKAzYS8uOYwWo5/Wsc30wRYmnr4M=",
"name": "jumbf manifest",
"exclusions": [
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/ftyp",
"length": null,
"subset": null,
"version": null
},
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/uuid",
"length": null,
"subset": null,
"version": null
},
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/free",
"length": null,
"subset": null,
"version": null
},
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/mdat",
"length": null,
"subset": [
{
"length": 8,
"offset": 0
}
],
"version": null
},
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/moov",
"length": null,
"subset": null,
"version": null
},
{
"data": null,
"exact": null,
"flags": null,
"xpath": "/mfra",
"length": null,
"subset": null,
"version": null
}
]
}
},
"signature": {
"alg": "es256",
"issuer": "Test Organization",
"time": "2025-04-11T23:17:33+00:00"
}
}
},
"validation_status": [
{
"code": "claimSignature.validated",
"url": "self#jumbf=/c2pa/urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da/c2pa.signature",
"explanation": "claim signature valid"
},
{
"code": "assertion.hashedURI.match",
"url": "self#jumbf=/c2pa/urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da/c2pa.assertions/c2pa.actions",
"explanation": "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.actions"
},
{
"code": "assertion.hashedURI.match",
"url": "self#jumbf=/c2pa/urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da/c2pa.assertions/c2pa.hash.bmff",
"explanation": "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.hash.bmff"
},
{
"code": "assertion.bmffHash.match",
"url": "self#jumbf=/c2pa/urn:uuid:0b3bd0b6-9783-4adc-9609-fb29fff858da/c2pa.assertions/c2pa.hash.bmff",
"explanation": "data hash valid"
}
]
}
```