The interim trust list
The process described on this page is deprecated. The C2PA has released its official trust lists, and Verify will be updated to use them soon. See Deprecation timeline for more information.
The C2PA Verify tool uses a list of known certificates (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. If an asset's Content Credential was not signed by a known certificate, the Verify tool will display this message:
Conversely, if the Content Credential was signed by a known certificate, the Verify tool will display the name of the certificate owner and time of the claim signature.
Deprecation timeline
Currently, Verify uses the interim trust list described here (also referred to as the temporary trust list), but Verify will be updated soon to use the official C2PA trust list.
The interim trust list (also known as the temporary trust list) will remain operational through December 31, 2025. During this time, C2PA will continue to accept new certificates following the process described below. At some point, the Verify site will distinguish between Content Credentials from conforming products and those signed using certificates on the interim trust list.
On January 1, 2026, the interim trust list will be frozen: C2PA will not add any new entries or make updates. Existing certificates will remain valid, but eventually, those certificates will expire and no longer be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the interim trust list.
For more information about conformance, see C2PA conformance program.
Interim known certificate list
The Verify site hosts the following files that it uses to validate signing certificates. Together, these files form the interim known certificate list:
- The interim end-entity certificate list consists of end-entity certificates. If the certificate is on this list, it is considered "known." To reduce bandwidth consumption, a version with SHA-256 hashes of the certificates is also available.
- The interim known anchor list contains the list of known anchor certificates. If an end-entity certificate's chain can be traced back to an anchor certificate on this list, the certificate is considered "known."
- The configuration file specifies the Extended Key Usage (EKU) values accepted for end-entity certificates. An end-entity certificate must have at least one of the EKUs in this list to be valid.
Checking your certificate
Before requesting to add your signing certificate to the known certificate list, perform a preliminary check to ensure the certificate is configured properly.
Prerequisites
The preliminary certificate check procedure below requires the following tools. You must install them if you haven't done so already:
- jq, a lightweight and flexible command-line JSON processor. On macOS, if you have Homebrew, you can install jq by entering
brew install jq. - OpenSSL, a cryptographic software library and CLI. It's installed on many systems such as macOS (but make sure you have a recent version). If OpenSSL is not installed on your system, see the list of unofficial binary distributions.
- C2PA Tool, the command line tool for working with C2PA manifests and media assets.
Procedure
In the example commands given below, cert.pem is your certificate file.
Check your certificate by following these steps:
Ensure that signing with the certificate doesn't have any validation errors by using a C2PA Tool command like this:
c2patool ./image.jpg trust --allowed_list ./cert.pemConfirm that the result does not contain a
validation_statusfield, which indicates an error.Confirm that the
signature_info.issuerfield in the manifest is correct. This field determines what Verify displays for the organization name after "Issued by ...". Use a C2PA Tool command like this:c2patool ./image.jpg trust --allowed_list ./cert.pem \
| jq --args '.manifests[].signature_info.issuer'The response should be something like this:
"XYZ Inc."Where "XYZ Inc." is the name of your organization.
Use
opensslto perform basic verification of the certificate you're submitting; for example:openssl x509 -noout -text -in 'cert.pem' | grep 'Subject:'Example response:
Subject: organizationIdentifier=XYZ-7155227, C=US, ST=Delaware, L=Dover, O=Whatever Inc., SN=xxx, GN=xxx, CN=xxx
Using the interim known certificate list
You can use the C2PA Tool or the CAI JavaScript library to determine whether a certificate is on the interim known certificate list.
Using with C2PA Tool
The C2PA Tool documentation explains how to use the interim known certificate list with the tool.
Using with the JavaScript library
To load and use these lists with the JavaScript library (c2pa-js), pass them to the read function as shown in the following TypeScript example:
import { createC2pa, type ToolkitSettings } from 'c2pa';
import wasmSrc from 'c2pa/dist/assets/wasm/toolkit_bg.wasm?url';
import workerSrc from 'c2pa/dist/c2pa.worker.min.js?url';
async function loadTrustResource(file: string): Promise<string> {
const res = await fetch(`https://contentcredentials.org/trust/${file}`);
return res.text();
}
async function getToolkitSettings(): Promise<ToolkitSettings> {
const [trustAnchors, allowedList, trustConfig] = await Promise.all(
['anchors.pem', 'allowed.sha256.txt', 'store.cfg'].map(loadTrustResource),
);
return {
trust: {
trustConfig,
trustAnchors,
allowedList,
},
verify: {
verifyTrust: true,
},
};
}
async function readFile(asset: File) {
const c2pa = await createC2pa({
wasmSrc,
workerSrc,
});
return c2pa.read(asset, {
settings: await getToolkitSettings(),
});
}
This code is for illustration purposes only. To ensure acceptable performance, production code should reuse the c2pa object and cache the output of getToolkitSettings() to avoid making unnecessary network calls.
How to add a certificate to the list
If you have an application that is in production and publicly available, you can request to add its signing certificate to the interim known certificate list.
The interim trust list is being deprecated. While you can still request to add your certificate to the list (through the end of 2025), you are strongly encouraged to apply to the C2PA conformance program and use the official C2PA trust list. See C2PA conformance program for more information.
Follow these steps:
- Do a preliminary check of your certificate to ensure it meets the requirements for C2PA signing certificates and to be in the Verify interim certificate list.
- Submit your request by emailing
verify-tl@c2pa.org. We will review your request, and if it is approved, we'll ask for more details. Once we receive them and deploy the update to the trust list, you will receive a confirmation email.