c2pa-metadata

name: c2pa-metadata description: "Embed C2PA (Content Authenticity Initiative) provenance manifests in AI-generated marketing assets (image/video/audio/PDF). Use when: preparing AI-generated ad creative, social images, or video for EU markets to comply with EU AI Act Article 50 (applicable 2 Aug 2026); embedding visible AI-generation disclosure in assets; meeting brand-trust transparency requirements."

/digital-marketing-pro:c2pa-metadata — Embed Content Authenticity Provenance

Purpose

Wraps scripts/embed-c2pa.py to add a C2PA (Coalition for Content Provenance and Authenticity) manifest to any AI-generated marketing asset. The manifest carries a machine-readable provenance trail (who generated it, what generator was used, what prompt produced it, when it was reviewed) plus a visible AI-generation claim in the IPTC digital-source-type vocabulary.

This is the technical mechanism brands use to comply with:

EU AI Act Article 50 (applicable 2 August 2026) — generative-AI marketing content must be marked in a machine-readable format using open, interoperable standards. C2PA is the emerging backbone. Penalty for non-compliance: up to €15 million or 3% global annual turnover.
NY synthetic-performer disclosure law (effective June 2026) — $1K–$5K per violation, $10K repeat; applies to synthetic influencers and AI-generated endorsements.
FTC May 2026 endorsement guidance — covers AI testimonials and synthetic creator content.
Australia Online Safety Act / UK Online Safety Act — emerging deepfake disclosure requirements.

The resulting asset can be inspected by any C2PA-aware viewer (Adobe Photoshop, Lightroom, Truepic, contentcredentials.org/verify).

C2PA spec versions to be aware of (June 2026)

Content Credentials 2.3 (released 9 February 2026 — launch post) added format support for: live video (broadcast/streaming), plain text documents, OGG Vorbis audio, large AVI video files, and EXIF Original Preservation Images. If a brand is signing live-stream video or text-based assets for the first time, 2.3 is the floor version to target.
C2PA Spec 2.4 (April 2026 — spec.c2pa.org/specifications/specifications/2.4) introduces the AI Disclosure Assertion (c2pa.ai-disclosure) for machine-readable AI transparency info — this is the assertion the EU AI Act Article 50 deployer pathway will rely on. The Code of Practice WG1 (providers) and WG2 (deployers) draft guidance both reference C2PA-style assertions as the canonical machine-readable marking mechanism. See skills/context-engine/eu-code-of-practice.md for the full Article 50 context.
The C2PA Trust List is now handled via the public C2PA Conformance Program (any CA meeting the Certificate Policy can join). Production signing certificates should come from a Conformance-Program-listed CA, not an ad-hoc cert.

For DMP outputs: when the underlying embed-c2pa.py script supports --ai-disclosure (or you're piping through a C2PA SDK ≥ 0.36 that handles 2.4), include the c2pa.ai-disclosure assertion alongside the existing IPTC digital-source-type claim. The combination gives you both human-readable (IPTC) and machine-readable (c2pa.ai-disclosure) Article 50 signaling.

When to invoke

Right after any AI image / video / audio generation step in the engagement workflow (Part 11 — AI Creative Instructions output)
Before handing a generated asset to the design team for review
As a pre-publish gate in /digital-marketing-pro:check for EU-targeted assets
Bulk-applying to a backlog of AI-generated assets before EU AI Act enforcement on 2 Aug 2026

Quick examples

# Single asset — image generated by Vertex AI / Nano Banana Pro
/digital-marketing-pro:c2pa-metadata \
    --input assets/q3-launch-hero.png \
    --output assets/signed/q3-launch-hero.png \
    --brand "Acme Corp" \
    --generator "Vertex AI / Nano Banana Pro" \
    --ai-claim ai-generated-content \
    --prompt "minimalist product hero shot, soft natural lighting"

# Video with human review tracked
/digital-marketing-pro:c2pa-metadata \
    --input campaigns/launch-video-v3.mp4 \
    --output campaigns/signed/launch-video-v3.mp4 \
    --brand "Acme Corp" \
    --generator "Runway Gen-4" \
    --ai-claim ai-generated-content \
    --reviewer "Jane Smith"

# Human-created image with AI-assisted edits
/digital-marketing-pro:c2pa-metadata \
    --input assets/founder-headshot-edited.jpg \
    --output assets/signed/founder-headshot-edited.jpg \
    --brand "Acme Corp" \
    --generator "Adobe Generative Fill" \
    --ai-claim ai-assisted-edits

# Production sign with a real C2PA signing certificate
/digital-marketing-pro:c2pa-metadata \
    --input assets/q3-launch-hero.png \
    --output assets/signed/q3-launch-hero.png \
    --brand "Acme Corp" \
    --generator "Vertex AI / Nano Banana Pro" \
    --ai-claim ai-generated-content \
    --signing-cert /secure/c2pa-prod-cert.pem \
    --signing-key /secure/c2pa-prod-key.pem

AI claim values (IPTC digital source type)

Value	When to use	Maps to IPTC URI
`ai-generated-content`	Asset fully generated by AI	`algorithmicMedia`
`ai-assisted-edits`	Human-created + AI-edited (e.g. Generative Fill)	`compositeWithTrainedAlgorithmicMedia`
`ai-no-substantive-changes`	AI used (e.g. upscaling) but no semantic change	`minorHumanEdits`

The IPTC vocabulary is what EU AI Act regulators reference — using these values rather than ad-hoc strings makes the asset interoperable with the Article 50 enforcement tooling.

Supported asset formats

.png · .jpg/.jpeg · .webp · .gif · .tiff · .mp4 · .mov · .webm · .mp3 · .wav · .pdf

Signing certificate

Production C2PA signatures require a certificate from a CAI-recognized signing authority. The script will use one if you pass --signing-cert and --signing-key. If you omit them, the script generates a self-signed 90-day dev certificate for development testing only — a self-signed asset will verify as "signature present but signer not in trust list" at contentcredentials.org/verify.

For production deployment:

Obtain a C2PA-compatible signing certificate from a CAI-recognized authority (Adobe, Truepic, Numbers Protocol, Microsoft Azure Confidential Ledger).
Store the cert + key securely (do NOT commit to git; use an environment-variable path or secret store).
Pass --signing-cert and --signing-key on every production invocation.

Reference: opensource.contentauthenticity.org/docs/manifest/signing-manifests/

Python dependencies

c2pa-python>=0.5.0 — auto-installed on first run via pip install
cryptography — only needed for the dev self-signed cert path; auto-installed if missing

Both are part of the plugin's Full mode (~50 MB) — see pip install -r scripts/requirements.txt in the README.

Output

The script prints a JSON status report to stdout:

{
  "status": "success",
  "input": "assets/q3-launch-hero.png",
  "output": "assets/signed/q3-launch-hero.png",
  "size_bytes": 482371,
  "brand": "Acme Corp",
  "generator": "Vertex AI / Nano Banana Pro",
  "ai_claim": "ai-generated-content",
  "created": "2026-05-16T10:30:00+00:00",
  "manifest_assertions": ["c2pa.actions", "stds.schema-org.CreativeWork"],
  "using_dev_cert": false,
  "verify_url": "https://contentcredentials.org/verify"
}

Integration with the engagement workflow

In a full 12-part engagement, this skill plugs in at Part 11 — AI Creative Instructions output. After a creative brief is rendered as an actual asset (in SocialForge or a manual creative process), the resulting file passes through c2pa-metadata before being checked in to engagements/<slug>/11-creative-briefs/signed/.

The /digital-marketing-pro:check pre-publish gate should also verify that all AI-generated assets in an EU-targeted campaign carry a C2PA manifest. v3.4 adds this verification to the EU jurisdiction rule pack in skills/context-engine/compliance-rules.md.

/digital-marketing-pro:check — pre-publish quality gate (now verifies C2PA manifest on AI assets for EU campaigns)
skills/context-engine/compliance-rules.md — EU AI Act Article 50 rule pack
skills/influencer-creator/ftc-compliance.md — FTC May 2026 endorsement guidance
C2PA spec v1.3
Content Authenticity Initiative