Technical Guides

How to Test a Photo for C2PA Content Credentials (Step by Step)

Test any photo for C2PA Content Credentials in your browser, download a known-good C2PA test photo, and check that a validator reports the right result, including the failure cases.

ByLumethic Team
7 min read
Share

Testing a photo for C2PA takes about five seconds and needs nothing but a browser. What takes longer is knowing what the result should look like: the official C2PA test files ship as bare directory listings with no explanation, and most online checkers show you a manifest without telling you whether what you're seeing is correct. This guide covers both directions of the problem, testing a photo you have, and testing a tool against a photo whose correct answer is known.

What testing a photo for C2PA means

C2PA Content Credentials are a block of cryptographically signed metadata that travels inside an image file and records where it came from and what happened to it. If you're new to the standard, start with our C2PA guide; the short version is that a camera, an editor, or an AI generator writes a manifest into the file and signs it, and anyone can later read that manifest back and confirm the file hasn't changed since.

Testing a photo therefore means three checks: whether the file contains a manifest at all, whether the signature is still intact, meaning the image bytes match what was signed, and what the manifest asserts about the signer, the software involved and any use of generative AI.

Test a photo in your browser

The fastest route is a browser-based tester. Our free tool lets you test a photo for C2PA by dropping the file onto the page. It runs the official C2PA library as WebAssembly directly in your browser, so the photo is never uploaded, and it works with JPEG, PNG, WebP, AVIF, HEIC, TIFF, SVG and the RAW formats DNG and ARW.

Three steps:

  1. Drop the photo into the tester. The analysis runs locally and takes a moment.
  2. Read the verdict. The report names the signer, lists every recorded edit, flags AI involvement, and states whether the signature still matches the file.
  3. If nothing is found, that is itself a result, and by far the most common one. Most photos have never carried credentials, and platforms like Instagram or WhatsApp strip them during re-compression.

Adobe's Content Credentials Verify site performs the same check server-side and adds a trust-list lookup on the signer. Running both is a reasonable habit when the stakes are high.

The four outcomes and what they mean

Every C2PA test ends in one of four results.

Signed and intact, no edits recorded. The file carries valid credentials and hasn't changed since signing. That confirms its history, not that the scene was real. A signed photo of a screen showing an AI image is still validly signed.

Signed, but edited after capture. The credentials are intact and the history shows edits. The signature records that an edit happened, not whether it was honest.

Generative AI involved. The manifest itself declares AI generation or AI editing. A valid signature on an AI image doesn't make it authentic; it makes its origin transparent.

Validation failed. The file contains C2PA data but no longer matches what was signed, so it was modified afterwards. Treat every claim in that manifest with caution.

Get a C2PA test photo

To test a validator, a plugin, or simply your own understanding, you need files whose correct answer is known in advance.

The quickest option: our inspector page hosts a downloadable C2PA test photo with an intact signature and a recorded edit history, together with a table stating exactly what a correct implementation must report for it, from the signer down to the expected verdict. Download it, run it through any tool and compare.

For broader coverage, the C2PA organisation maintains the official public test files, a corpus organised by format and date that includes both conforming files and deliberate failure cases. It's the reference set validators are tested against; its only drawback is that nothing on the page tells you what each file should produce, which is why a documented set is worth having alongside it.

And if you want a test file of your own: any photo exported from Photoshop or Lightroom with Content Credentials enabled becomes one, as does any image generated by Adobe Firefly or DALL·E, which embed C2PA automatically.

Testing a validator or pipeline

If you're building or integrating C2PA support, browser spot-checks don't scale. The open-source c2patool CLI from the Content Authenticity Initiative reads and writes manifests headless, which makes it the natural harness: feed it your test set, diff the JSON output against expectations, and wire it into CI.

Two testing principles matter more than tool choice. First, test the negative cases. A validator that has only ever seen valid files hasn't been tested; flip a few image bytes in a signed file without re-signing and confirm your pipeline reports a hash mismatch rather than a pass. Second, don't equate "signature valid" with "trustworthy signer." Test files are typically signed with the C2PA test certificate, which correct tools accept cryptographically but should not present as a trusted identity. After a signing flaw, Nikon revoked every certificate its authenticity program had issued, an episode we cover in why a camera signature isn't proof.

If you want to know whether your own camera can produce signed files to test with, our C2PA camera check covers every model that can.

What a C2PA test cannot tell you

A C2PA test answers one question: has this file changed since it was signed, and what does its signed history claim? It cannot tell you whether an unsigned photo is real, whether recorded edits were honest, or whether the scene in front of the lens was genuine.

That last gap is why we built verification that doesn't depend on capture-time signing. Lumethic verification forensically compares a photo against its RAW original, with eight checks that include sensor authenticity, structural similarity and recapture detection, so any photographer can prove authenticity, C2PA-capable camera or not. The two approaches complement each other: C2PA carries the provenance, forensics establishes it.

Frequently asked questions

How do I test if a photo has C2PA? Drop it into a browser-based tester such as our C2PA inspector. It reads the embedded manifest, checks the signature, and reports the signer, edit history and AI involvement without uploading the file.

Where can I download a C2PA test image? From our inspector page, which documents the expected result for its test photo, or from the official C2PA public test files for a full multi-format corpus.

My photo shows no credentials. Does the test prove it's fake? No. Most images never had credentials, and social platforms strip them. Absence is not evidence of manipulation, it is the default state of images on the web.

Can a photo pass a C2PA test and still be misleading? Yes. A valid signature confirms integrity since signing, nothing more. An AI image with honest credentials passes; so does a signed photograph of a screen. Read the manifest's content, not just its green check.

Related Reading

#C2PA#Content Credentials#Testing#Provenance#Verification