v0.11.1 builder.sign_file results in invalid signature value

[rokclimb15]

I have modified our code just slightly for the new 0.10.0+ methods, but it fails our local test suite which worked under 0.6.0

def write(filename: str, manifest: dict, public_key: str, signing_function: Callable) -> tuple[int, bytes | None]:
    manifest_json = json.dumps(manifest)

    builder = c2pa.Builder(manifest_json)

    signer = c2pa.Signer.from_callback(
        signing_function,
        c2pa.C2paSigningAlg.ES256,
        public_key, 
        "http://timestamp.digicert.com"
    )

    tmp_output = os.path.join('/tmp', 'tmp.' + os.path.splitext(filename)[1])

    signed_bytes = builder.sign_file(filename, tmp_output, signer)

    os.rename(tmp_output, filename)

    return signed_bytes

c2pa_signer_create
c_callback: signed_size: 0
[ERROR] C2paError: Signature: invalid signature value
Traceback (most recent call last):
  File "/index.py", line 96, in lambda_handler
    signed_manifest_bytes = c2pa_lib.write(file_path, manifest_payload, public_key, sign)
  File "/c2pa_lib.py", line 17, in write
    signed_bytes = builder.sign_file(filename, tmp_output, signer)
  File "/usr/local/lib/python3.12/site-packages/c2pa/c2pa.py", line 1836, in sign_file
    return self._sign_internal(signer, mime_type, source_stream, dest_stream)
  File "/usr/local/lib/python3.12/site-packages/c2pa/c2pa.py", line 1769, in _sign_internal
    raise C2paError(error)

[tmathern]

Can we try a thing? Can your signing process be converted to something like this for the test, to narrow down things? (here:

# (from setup)
self.signer_info = C2paSignerInfo(
            alg=b"es256",
            sign_cert=self.certs,
            private_key=self.key,
            ta_url=b"http://timestamp.digicert.com"
)
self.signer = Signer.from_info(self.signer_info)

def test_sign_file(self):
        """Test signing a file using the sign_file method."""
        import tempfile
        import shutil

        # Create a temporary directory for the test
        temp_dir = tempfile.mkdtemp()
        try:
            # Create a temporary output file path
            output_path = os.path.join(temp_dir, "signed_output.jpg")

            # Use the sign_file method
            builder = Builder(self.manifestDefinition)
            result = builder.sign_file(
                source_path=self.testPath,
                dest_path=output_path,
                signer=self.signer
            )

            # Verify the output file was created
            self.assertTrue(os.path.exists(output_path))

            # Read the signed file and verify the manifest
            with open(output_path, "rb") as file:
                reader = Reader("image/jpeg", file)
                json_data = reader.json()
                self.assertIn("Python Test", json_data)
                self.assertNotIn("validation_status", json_data)

        finally:
            # Clean up the temporary directory
            shutil.rmtree(temp_dir)

This API is different to what you use currently.

The steps to test should also be like

1. Create your Builder with manifest: builder = Builder(self.manifestDefinition) (that is already done in your code)
2. Create a Signer using Signer info. Note the changes in var names to use.
3. Sign as before.

Does your signing also fail if using this API?

[rokclimb15]

I am using KMS as a remote signer, so I don't have access to the private key that corresponds. I can try a minimal testcase with a local signing callback that just returns bytes, I imagine it will also fail.

…

On Fri, Jun 20, 2025 at 10:58 AM tmathern ***@***.***> wrote: *tmathern* left a comment (contentauth/c2pa-python#124) <#124 (comment)> Can we try a thing? Can your signing process be converted to something like this for the test, to narrow down things? (here <https://github.com/contentauth/c2pa-python/blob/main/tests/test_unit_tests.py#L718-L749> : # (from setup) self.signer_info = C2paSignerInfo( alg=b"es256", sign_cert=self.certs, private_key=self.key, ta_url=b"http://timestamp.digicert.com" ) self.signer = Signer.from_info(self.signer_info) def test_sign_file(self): """Test signing a file using the sign_file method.""" import tempfile import shutil # Create a temporary directory for the test temp_dir = tempfile.mkdtemp() try: # Create a temporary output file path output_path = os.path.join(temp_dir, "signed_output.jpg") # Use the sign_file method builder = Builder(self.manifestDefinition) result = builder.sign_file( source_path=self.testPath, dest_path=output_path, signer=self.signer ) # Verify the output file was created self.assertTrue(os.path.exists(output_path)) # Read the signed file and verify the manifest with open(output_path, "rb") as file: reader = Reader("image/jpeg", file) json_data = reader.json() self.assertIn("Python Test", json_data) self.assertNotIn("validation_status", json_data) finally: # Clean up the temporary directory shutil.rmtree(temp_dir) This API is different to what you use currently. The steps to test should also be like 1. Create your Builder with manifest: builder = Builder(self.manifestDefinition) (that is already done in your code) 2. Create a Signer using Signer info. Note the changes in var names to use. 3. Sign as before. Does your signing also fail if using this API? — Reply to this email directly, view it on GitHub <#124 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEOMZZNCDFJSQ6VQKKFKUD3EQORBAVCNFSM6AAAAAB7YHBYU6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSOJRHEZTQMJSGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[tmathern]

That would be helpful to repro the issue though. And then we could add it to the lib's test cases and use it to debug.

[rokclimb15]

I was not able to get a working local script, the process is just too different from KMS to mimic. However, I noticed that Builder.sign_file now returns the number of bytes signed rather than the signed bytes themselves, which our workflow relies upon.

Is there a different set of APIs I can call to use a custom signer and get back the signed bytes? If not, we're stuck on 0.6.0 for now.

[tmathern]

I have a repro and a tentative fix in #125.

I also updated sign_file (the helper method, not the one on Builder directly) with overloads (takes either signer directly or signer info to create a signer), and an additional optional parameter to set to True to return the manifest bytes instead of the manifest store as JSON.

[rokclimb15]

Thanks for tracking this down, this looks like it will work for us! I'll follow this issue to keep an eye on when the fix merges and is deployed.

[tmathern]

I'll also let you know - I expect this fix would lead to a new minor version.

[tmathern]

#125 was merged, turning into a v0.12.0 version.
The sign functions from builders now return the manifest bytes (no tuple, just the manifest bytes (and not the manifest bytes length).

https://pypi.org/project/c2pa-python/0.12.0/