feat: implement JPEG and PDF C2PA signing functionality

Added features:

- Python implementation for core C2PA objects
- Python implementation for injecting C2PA manifests into JPEG/JPEG and PDF files
- c2pie CLI tool for file signing
---------

Co-authored-by: SupremeSoviet <112272101+SupremeSoviet@users.noreply.github.com>
Co-authored-by: fpandyz <5389368+fpandyz@users.noreply.github.com>

Author: 3 people

.env-example

@@ -1,4 +1,4 @@
-C2PIE_KEY_FILEPATH=tests/credentials/ps256.pem
-C2PIE_CERT_FILEPATH=tests/credentials/ps256.pub
+C2PIE_PRIVATE_KEY_FILE=tests/credentials/private-key.pem
+C2PIE_CERTIFICATE_CHAIN_FILE=tests/credentials/certificate-chain.pub
 TEST_PDF_PATH=tests/test_files/test_doc.pdf
 TEST_IMAGE_PATH=tests/test_files/test_image.jpg

.github/workflows/lint-and-test.yml

@@ -2,8 +2,9 @@ name: Linting and Testing
 
 on:
   push:
-    branches:
-      - '**'
+    branches-ignore:
+      - master
+      - release/**
     paths-ignore:
       - '**.md'
       - 'docs/**'
@@ -175,8 +176,8 @@ jobs:
             --cov=c2pie \
             -v
         env:
-          C2PIE_KEY_FILEPATH: ${{ vars.C2PIE_KEY_FILEPATH }}
-          C2PIE_CERT_FILEPATH: ${{ vars.C2PIE_CERT_FILEPATH }}
+          C2PIE_PRIVATE_KEY_FILE: ${{ vars.C2PIE_PRIVATE_KEY_FILE }}
+          C2PIE_CERTIFICATE_CHAIN_FILE: ${{ vars.C2PIE_CERTIFICATE_CHAIN_FILE }}
 
       - name: Upload coverage artifact
         if: (matrix.python-version == '3.12') && (matrix.os == 'ubuntu-latest')

.github/workflows/publish-package.yml

@@ -2,7 +2,7 @@ name: Package Publishing
 
 on:
   release:
-    types: [created]
+    types: [created, published]
 
 permissions:
   contents: write

.github/workflows/publish-release.yml

@@ -4,21 +4,18 @@ on:
   push:
     branches:
       - master
-      - release/**
-  create:
-    branches:
-      - release/**
+      - 'release/*'
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   linting-and-testing:
     name: Linting and Testing
     uses: ./.github/workflows/lint-and-test.yml
     permissions:
-      contents: write
       packages: read
+      contents: write
 
   release:
     name: Create and Publish Release
@@ -28,9 +25,6 @@ jobs:
       group: ${{ github.workflow }}-release-${{ github.ref_name }}
       cancel-in-progress: false
 
-    permissions:
-      contents: write
-
     steps:
       - name: Checkout Repository on Release Branch
         uses: actions/checkout@v4
@@ -88,7 +82,7 @@ jobs:
 
       - name: Semantic Version Release
         id: release
-        uses: python-semantic-release/python-semantic-release@v10.4.1
+        uses: python-semantic-release/python-semantic-release@v8.3.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           git_committer_name: "github-actions"

.github/workflows/test-readme-steps.yml

@@ -0,0 +1,103 @@
+name: Execute Readme Steps
+
+on:
+  push:
+    branches:
+      - feature/*
+
+jobs:
+  sign-steps:
+    runs-on: ubuntu-24.04
+    container: python:3.9.2-buster
+    steps:
+    - name: Generate Certificates, Install c2pie, and Sign Image and PDF
+      run: |
+        # Generate private key and certificate chain:
+        openssl genpkey \
+        -algorithm RSA-PSS \
+        -pkeyopt rsa_keygen_bits:2048 \
+        -pkeyopt rsa_pss_keygen_md:sha256 \
+        -pkeyopt rsa_pss_keygen_mgf1_md:sha256 \
+        -pkeyopt rsa_pss_keygen_saltlen:32 \
+        -out private_key.key
+
+        openssl req -new -x509 \
+        -key private_key.key \
+        -sha256 -days 825 \
+        -subj "/C=US/ST=CA/L=Somewhere/O=C2PA Test Signing Cert/OU=FOR TESTING_ONLY/CN=C2PA PSS Signer/emailAddress=pie@example.com" \
+        -addext "basicConstraints=critical,CA:false" \
+        -addext "keyUsage=critical,digitalSignature,nonRepudiation" \
+        -addext "extendedKeyUsage=critical,emailProtection" \
+        -out certificate_chain.pem
+
+        # Export created private key and certificate chain files into env variables:
+        export C2PIE_PRIVATE_KEY_FILE=./private_key.key
+        export C2PIE_CERTIFICATE_CHAIN_FILE=./certificate_chain.pem
+
+        # Install package
+        pip install c2pie 
+
+        # Download test image and PDF from this repo
+        wget https://raw.githubusercontent.com/TourmalineCore/c2pie/refs/heads/master/example_app/test_files/test_image.jpg
+        wget https://raw.githubusercontent.com/TourmalineCore/c2pie/refs/heads/master/example_app/test_files/test_doc.pdf
+
+        # Sign files
+        c2pie sign --input_file ./test_image.jpg
+        c2pie sign --input_file ./test_doc.pdf
+
+    - name: Upload Signed Image
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed_test_image
+        path: signed_test_image.jpg
+
+    - name: Upload Signed PDF
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed_test_doc
+        path: signed_test_doc.pdf
+  
+  verify-steps:
+    needs: sign-steps
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Download Signed Image
+      uses: actions/download-artifact@v5
+      with:
+        name: signed_test_image
+    
+    - name: Download Signed PDF
+      uses: actions/download-artifact@v5
+      with:
+        name: signed_test_doc
+    
+    - name: Install Rust toolchain and c2patool
+      uses: baptiste0928/cargo-install@v3
+      with:
+        crate: c2patool
+        
+    - name: Validate Signed Image and PDF
+      run: |
+        c2patool signed_test_image.jpg
+        echo "$(c2patool signed_test_image.jpg)" >> image_validation_results.json
+        c2patool signed_test_doc.pdf
+        echo "$(c2patool signed_test_doc.pdf)" >> pdf_validation_results.json
+        
+    - name: Download jq and Get validation results
+      id: validation_check
+      run: |
+        sudo apt install jq
+        echo "image_validation_results=$(jq -r .validation_state image_validation_results.json)" >> $GITHUB_OUTPUT
+        echo "pdf_validation_results=$(jq -r .validation_state pdf_validation_results.json)" >> $GITHUB_OUTPUT
+
+    - name: Debug validation check 
+      run: |
+        echo "Image validation result extracted from file: ${{ steps.validation_check.outputs.image_validation_results }}"
+        echo "PDF validation result extracted from file: ${{ steps.validation_check.outputs.pdf_validation_results }}"
+
+    - name: Fail if validation failed
+      if: ${{ steps.validation_check.outputs.image_validation_results == 'Invalid' || steps.validation_check.outputs.pdf_validation_results == 'Invalid' }} 
+      run: |
+        echo "Invalid C2PA signature in one of the files. Check logs of the previous step."
+        exit 1
+