c2pa-sign

name: c2pa-sign description: "Embed C2PA (Content Authenticity Initiative) provenance manifests into SocialForge AI-generated assets — images, video, audio. Use when: preparing AI-generated social posts for EU markets to comply with EU AI Act Article 50 (applicable 2 Aug 2026); making AI generation disclosure machine-readable; signing already-generated assets retroactively; auto-signing newly generated assets when c2pa_auto_sign is enabled in brand profile."

/socialforge:c2pa-sign — Embed Content Authenticity Provenance

Purpose

Context efficiency

Asset-heavy skill. Grep before Read the asset catalog (${CLAUDE_PLUGIN_DATA}/<brand>/assets/index.json) — never list the asset directory. Reference generated images / videos by path, not by loading metadata. Brand profile loads once per session.

Wraps scripts/c2pa_sign.py to add a C2PA manifest to any SocialForge-generated marketing asset. The manifest carries:

Machine-readable provenance trail (brand, generator name, timestamp, prompt, target platform)
IPTC digital-source-type vocabulary tag (TRAINED_ALGORITHMIC_MEDIA / COMPOSITE_WITH_TRAINED_ALGORITHMIC_MEDIA / HUMAN_EDITS)
schema.org CreativeWork assertion (author = brand organization, dateCreated, publishingPrinciples = target platform)

Why this matters: EU AI Act Article 50 applies from 2 August 2026. Generative-AI marketing content distributed in EU markets must be marked in a machine-readable format using open, interoperable standards — C2PA is the emerging backbone. Penalty: up to €15 million or 3% global annual turnover. Additional disclosure obligations apply under NY synthetic-performer law (effective June 2026) and FTC May 2026 endorsement guidance.

The resulting asset is verifiable at contentcredentials.org/verify or in any C2PA-aware viewer (Adobe Photoshop, Lightroom, Truepic, Microsoft Copilot, etc.).

C2PA spec versions relevant to SocialForge (June 2026)

Content Credentials 2.3 (released 9 February 2026 — launch post) added support for live video (broadcast/streaming), plain text documents, OGG Vorbis audio, large AVI video files, and EXIF Original Preservation Images. Relevant to SocialForge because:
- Live video signing matters if you're producing Reels / TikTok / Shorts streaming content alongside the planned monthly batch.
- EXIF Original Preservation Image format is the cleanest path for signing product photography that the brand wants to preserve through ad ops cropping.
C2PA Spec 2.4 (April 2026 — spec.c2pa.org/specifications/specifications/2.4) introduces the AI Disclosure Assertion (c2pa.ai-disclosure) — machine-readable AI transparency info that the EU AI Act Article 50 deployer pathway will read. When c2pa_sign.py is on a C2PA SDK ≥ 0.36 that handles 2.4, include this assertion alongside the existing IPTC + schema.org tags. The combination is what the EU Code of Practice WG1/WG2 drafts reference as the canonical machine-readable mark.
C2PA Trust List is now handled via the public C2PA Conformance Program — production signing certificates should come from a Conformance-Program-listed CA.

For the regulatory context (EU Article 50 voluntary Code of Practice, WG1 providers vs WG2 deployers split, where SocialForge falls), see Digital Marketing Pro's skills/context-engine/eu-code-of-practice.md — this is shared regulatory knowledge across the Neelverse Marketing Suite.

When SocialForge invokes this automatically

If a brand profile sets c2pa_auto_sign: true, the image and video generation pipelines call this script as a post-generation step before delivering the asset. The signed file replaces the unsigned one — original output path is preserved.

If the brand profile does NOT set c2pa_auto_sign: true, generated assets are unsigned by default. You can sign on demand by invoking this skill explicitly.

Quick examples

# Sign an image generated by Vertex AI for Instagram
/socialforge:c2pa-sign \
    --input assets/q3-launch-hero.png \
    --output assets/signed/q3-launch-hero.png \
    --brand "Acme Corp" \
    --generator "Vertex AI Nano Banana Pro" \
    --ai-claim ai-generated-content \
    --platform instagram

# Sign a video generated by Kling for TikTok
/socialforge:c2pa-sign \
    --input campaigns/launch.mp4 \
    --output campaigns/signed/launch.mp4 \
    --brand "Acme Corp" \
    --generator "WaveSpeed Kling v3.0 Pro" \
    --ai-claim ai-generated-content \
    --platform tiktok

# Production sign with a real C2PA certificate
/socialforge:c2pa-sign \
    --input assets/q3-launch-hero.png \
    --output assets/signed/q3-launch-hero.png \
    --brand "Acme Corp" \
    --generator "Vertex AI Nano Banana Pro" \
    --ai-claim ai-generated-content \
    --platform instagram \
    --signing-cert /secure/c2pa-prod-cert.pem \
    --signing-key /secure/c2pa-prod-key.pem

AI claim values (IPTC digital source type)

Value	When to use
`ai-generated-content`	Asset fully generated by AI (default for SocialForge image/video output)
`ai-assisted-edits`	Human-created asset with AI editing (e.g. brand-watermarked stock photo + AI background replacement)
`ai-no-substantive-changes`	AI used but no semantic change (e.g. AI upscaling, AI noise reduction)

Supported asset formats

Image: .png · .jpg/.jpeg · .webp · .gif · .tiff Video: .mp4 · .mov · .webm Audio: .mp3 · .wav

Signing certificate

Production C2PA signatures require a certificate from a CAI-recognized signing authority (Adobe, Truepic, Numbers Protocol, Microsoft Azure Confidential Ledger). Pass --signing-cert and --signing-key for production. If omitted, the script generates a self-signed 90-day dev certificate — assets sign successfully but verify as "signature present, signer not in trust list" at contentcredentials.org/verify. Do not ship dev-cert-signed assets to production.

For production deployment:

Obtain a C2PA-compatible signing certificate from a CAI-recognized authority
Store cert + key securely (not in git; use environment variables or a secret store)
Either pass paths on every invocation OR set c2pa_signing_cert_path and c2pa_signing_key_path in brand profile so the auto-sign hook picks them up

Reference: opensource.contentauthenticity.org/docs/manifest/signing-manifests/

Python dependencies

c2pa-python>=0.32.6 — auto-installed on first run
cryptography — only required for the dev self-signed cert path; auto-installed if missing

These are part of SocialForge's full install. The script auto-installs them via pip install --quiet on first invocation if not present.

Output

JSON status report to stdout:

{
  "status": "success",
  "input": "assets/q3-launch-hero.png",
  "output": "assets/signed/q3-launch-hero.png",
  "size_bytes": 482371,
  "brand": "Acme Corp",
  "generator": "Vertex AI Nano Banana Pro",
  "ai_claim": "ai-generated-content",
  "c2pa_digital_source_type": "TRAINED_ALGORITHMIC_MEDIA",
  "platform": "instagram",
  "created": "2026-05-17T10:30:00+00:00",
  "manifest_embedded_and_verified": true,
  "c2pa_active_manifest_id": "urn:c2pa:...",
  "using_dev_cert": false,
  "verify_url": "https://contentcredentials.org/verify"
}

Integration with the broader Neelverse Suite

This skill is intentionally self-contained — SocialForge does not depend on digital-marketing-pro being installed. The signing logic mirrors DMP's embed-c2pa.py exactly, so an asset signed by either plugin verifies identically (same manifest schema, same IPTC vocabulary, same C2PA spec).

If you run both plugins, a SocialForge-signed asset can be referenced from a DMP engagement (Part 11 — AI Creative Instructions output) without re-signing.

scripts/c2pa_sign.py — the underlying implementation
scripts/generate_image.py — calls c2pa_sign.py as a post-step when brand profile has c2pa_auto_sign: true
scripts/video_postprocess.py — same auto-sign hook for video output
references/eu-ai-act-article50.md — regulatory context
DMP /digital-marketing-pro:c2pa-metadata — equivalent skill in the DMP plugin; either produces interoperable manifests
C2PA spec v2.0
Content Authenticity Initiative