Merge branch 'main' into old-new-manifests

crandmck · web-flow · commit a6db053bbbda · 2025-07-17T14:23:12.000-07:00
diff --git a/docs/community.md b/docs/community.md
@@ -29,13 +29,25 @@ We also welcome thoughtful pull requests (PRs) from the community, following the
 
 Participants are required to follow the [Adobe Code of Conduct](https://github.com/contentauth/c2pa-rs/blob/main/CODE_OF_CONDUCT.md) to maintain an open and welcoming environment for all.
 
+### Incubator projects
+
+:::warning Warning
+Incubator projects are still under active development and are not yet ready for general use.  However, input and bug reports are welcome in the GitHub repositories.
+:::
+
+These projects are in early alpha release:
+- [iOS Library](https://github.com/contentauth/c2pa-ios): Provides iOS/macOS support via Swift Package/XCFramework.
+- [Android Library](https://github.com/contentauth/c2pa-android): Provides native Android support via an AAR library.
+
+Both of these projects wrap the C2PA Rust implementation ([c2pa-rs](https://github.com/contentauth/c2pa-rs)) using its C API bindings.
+
 ### Related projects
 
 These related projects may be of interest, but the CAI team doesn't maintain or support them:
 
 - [**Drupal module**](https://github.com/contentauth/c2pa-drupal): Enables Drupal sites to process and display Content Credentials for supported image types.
 - [**DASH video player**](https://github.com/contentauth/dash.js/tree/c2pa-dash):  DASH video player that displays Content Credentials in browsers for supported media types. This repo/branch is a work-in-progress forked from [dash.js](https://github.com/Dash-Industry-Forum/dash.js), the canonical reference JavaScript implementation for the playback of MPEG DASH. 
-- [**TrustMark**](https://github.com/adobe/trustmark): Open-source Python implementation of watermarking for encoding, decoding and removing image watermarks.
+- [**TrustMark**](https://github.com/adobe/trustmark): Open-source Python implementation of watermarking for encoding, decoding and removing image watermarks. You can use TrustMark as part of providing [durable content credentials](durable-cr.md).
 - [**C2PA Security Testing Tool**](https://github.com/contentauth/c2pa-attacks): A CLI tool derived from [c2patool](https://github.com/contentauth/c2patool) that performs security testing on a Content Credentials application.  This tool is intended for use by software security professionals.
 
 ## Discussions on Discord
diff --git a/docs/durable-cr/index.md b/docs/durable-cr/index.md
@@ -1,5 +1,5 @@
 ---
-id: durable-cr
+id: index
 title: Durable Content Credentials
 ---
 
diff --git a/docs/durable-cr/soft-bindings.mdx b/docs/durable-cr/soft-bindings.mdx
diff --git a/docs/durable-cr/trustmark-faq.mdx b/docs/durable-cr/trustmark-faq.mdx
@@ -47,6 +47,6 @@ hide_table_of_contents: true
   - [Is TrustMark compatible with blockchain technology?](#is-trustmark-compatible-with-blockchain-technology)
   - [Can TrustMark be used for NFT provenance?](#can-trustmark-be-used-for-nft-provenance)
 
-import Faq from './trustmark/FAQ.md';
+import Faq from '../trustmark/FAQ.md';
 
 <Faq name="faq" />
diff --git a/docs/durable-cr/trustmark-intro.md b/docs/durable-cr/trustmark-intro.md
@@ -10,7 +10,7 @@ TrustMark is an open-source universal watermarking system for images that:
 - Has implementations in Python (using PyTorch), [Rust](trustmark/rust/README.md), and [JavaScript](trustmark/js/README.md) (both using ONNX).
 
 :::info
-For full technical details and help getting started with TrustMark, see [TrustMark - Overview](trustmark/readme.md).
+For full technical details and help getting started with TrustMark, see [TrustMark - Overview](trustmark/README.md).
 :::
 
 ## Variants
diff --git a/docs/getting-started.mdx b/docs/getting-started.mdx
@@ -15,7 +15,7 @@ The CAI open-source SDK is fully compliant with the C2PA specification, but it's
 
 ## Important terminology
 
-To understand how CAI works, you need to understand some basic vocabulary. Having this vocabulary makes it easier to discuss CAI's technical aspects. The definitions below are summarized and slightly simplified from the [Glossary in the C2PA specification](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_glossary). This document is meant to convey the general concepts and may not cover all technical details or edge cases that the specification addresses.
+To understand how CAI works, you need to understand some basic vocabulary. Having this vocabulary makes it easier to discuss CAI's technical aspects. The definitions below are summarized and slightly simplified from the [Glossary in the C2PA specification](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_glossary). This document is meant to convey the general concepts and may not cover all technical details or edge cases that the specification addresses.
 
 Let's start with a broad definition of _content provenance_ which means information on the creation, authorship, and editing of a digital asset such as an image. _Content Credentials_ include this provenance information, along with the cryptographic means to authenticate that the information is correctly tied to the content and is unchanged from when it was originally added. Sometimes these two terms are used to loosely mean the same thing: Technology to verify the origin and history of a digital asset.
 
@@ -33,7 +33,7 @@ Now, let's drill down a bit to clarify some of these terms.
 
 **Action**: An operation that an _actor_ performs on an _asset._ For example, "create," "embed," or "change contrast."
 
-**Assertion**: Part of the manifest "asserted" by an actor that contains data about an asset's creation, authorship, how it's been edited, and other relevant information. For example, an assertion might be "change image contrast." For a list of standard C2PA assertions, see the [C2PA Specification](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_c2pa_standard_assertions).
+**Assertion**: Part of the manifest "asserted" by an actor that contains data about an asset's creation, authorship, how it's been edited, and other relevant information. For example, an assertion might be "change image contrast." For a list of standard C2PA assertions, see the [C2PA Specification](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_c2pa_standard_assertions).
 
 **Certificate Authority (CA)**: A trusted third party that verifies the identity of an organization applying for a digital certificate. After verifying the organization's identity, the CA issues a certificate and binds the organization's identity to a public key. A digital certificate can be trusted because it is chained to the CA's root certificate.
 
@@ -53,15 +53,15 @@ Now, let's drill down a bit to clarify some of these terms.
 
 **Manifest store**: A collection of manifests associated with asset. The most recent manifest in the manifest store is the _active manifest_, which has the set of _content bindings_ that are hashed with the asset and thus can be validated.
 
-For more definitions and detail, see the [C2PA specification](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_glossary).
+For more definitions and detail, see the [C2PA specification](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_glossary).
 
 ## How it works
 
 A _manifest_ is a binary data structure that describes the history and identity data attached to digital asset. The CAI SDK enables applications and websites to attach a manifest to an asset and display it when requested. This helps viewers to understand the origin and evolution of the asset.
 
 Although the manifest structure described in the C2PA specification is a complex binary structure, the CAI SDK works with a JSON manifest format that's easier to understand and use. It's essentially a declarative language for representing and creating a manifest in binary format. For more information on the CAI JSON manifest, see [Working with manifests](manifest/understanding.md).
 
-The CAI uses _cryptographic asset hashing_ to provide verifiable, tamper-evident signatures to indicate that the asset and metadata haven't been altered since the asset was published with the attached manifest. This means that a hash function converts the digital asset data to a unique "fingerprint," which is signed using a certificate. Once the credentials are signed, if the asset is changed then its fingerprint also changes. That's why it's called "tamper evident." You're not prevented from changing an image that has Content Credentials, but if you do, the credentials are no longer valid unless you change it using a tool that updates and re-hashes the credentials, along with a timestamp and optionally a description of what changed. The C2PA specification refers to this as [hard binding](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_binding_to_content).
+The CAI uses _cryptographic asset hashing_ to provide verifiable, tamper-evident signatures to indicate that the asset and metadata haven't been altered since the asset was published with the attached manifest. This means that a hash function converts the digital asset data to a unique "fingerprint," which is signed using a certificate. Once the credentials are signed, if the asset is changed then its fingerprint also changes. That's why it's called "tamper evident." You're not prevented from changing an image that has Content Credentials, but if you do, the credentials are no longer valid unless you change it using a tool that updates and re-hashes the credentials, along with a timestamp and optionally a description of what changed. The C2PA specification refers to this as [hard binding](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_binding_to_content).
 
 ## Introduction to public key infrastructure
 
@@ -98,7 +98,7 @@ The C2PA [Verify tool](https://contentcredentials.org/verify) uses a list of _kn
 
 ## Identity
 
-To identify who created or modified an asset, identity needs to be verifiable and bound to an asset and its manifest store. The CAI SDK supports the [W3C verifiable credentials](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_w3c_verifiable_credentials) standard recommendation (part of the C2PA specification), but doesn't currently have a way to validate these credentials or ensure that they properly reflect authorship of the content. An actor can add one or more identities to a manifest using the W3C verifiable credentials data model. Currently, a verifier must trust the manifest signer to properly authenticate the identity.
+To identify who created or modified an asset, identity needs to be verifiable and bound to an asset and its manifest store. The CAI SDK supports the [W3C verifiable credentials](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_w3c_verifiable_credentials) standard recommendation (part of the C2PA v1.4 specification), but doesn't currently have a way to validate these credentials or ensure that they properly reflect authorship of the content. An actor can add one or more identities to a manifest using the W3C verifiable credentials data model. Currently, a verifier must trust the manifest signer to properly authenticate the identity.
 
 Identity can be bolstered with other kinds of evidence such as _Adobe connected accounts_. In the future, the identity credentials will be separately verifiable. In the future, these verifiable credentials will be strongly bound to the manifest and media and be independently verifiable.
 
diff --git a/docs/introduction.mdx b/docs/introduction.mdx
@@ -184,7 +184,7 @@ C2PA provides the formal technical specifications and open standards for content
 The "cr" icon is trademarked by the C2PA and is the _de facto_ mark for C2PA user experiences. C2PA members can use this icon to provide a consistent user experience and set expectations that an application, tool, or website implements C2PA standards.
 
 :::info
-For detailed guidance on using the "cr" icon, see [C2PA User Experience Guidance for Implementers](https://c2pa.org/specifications/specifications/1.4/ux/UX_Recommendations.html#_l1_indicator_of_c2pa_data).
+For detailed guidance on using the "cr" icon, see [C2PA User Experience Guidance for Implementers](https://c2pa.org/specifications/specifications/2.0/ux/UX_Recommendations.html#_l1_indicator_of_c2pa_data).
 :::
 
 ### CAI
diff --git a/docs/js-sdk/getting-started/overview.mdx b/docs/js-sdk/getting-started/overview.mdx
@@ -43,8 +43,8 @@ Key features of the JavaScript library include:
 - **Developer friendly**: Full TypeScript support and robust debugging support using the [debug](https://github.com/debug-js/debug) library make integration easy.
 - **Performance**: The processing code of the library uses a high-performance [WebAssembly](https://developer.mozilla.org/en-US/docs/WebAssembly) binary. Additionally, the library offloads processing tasks to a configurable Web Worker pool to enable parallelization and avoid blocking a web application's main thread.
 - **Lazy loading and processing**: Since images can be quite large, the library inspects the start of an asset file for C2PA manifest data before requesting the entire file, [if the server supports it](../guides/hosting#range-requests). The library will download the rest of the asset only if it finds the metadata marker. Additionally, it delays loading the WebAssembly binary until it makes the first processing request.
-- **Adherence to the C2PA specification**: The library strives to maintain compliance with the [C2PA specification](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html) as much as possible, and the web components follow the [C2PA user experience guidance](https://c2pa.org/specifications/specifications/1.0/ux/UX_Recommendations.html) recommendations.
-- **Security and encryption**: The library handles all [validation](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_validation) via the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) and passes any validation errors back to the client. It supports all ECDSA and RSASSA-PSS algorithms listed in the [C2PA specification](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_digital_signatures).
+- **Adherence to the C2PA specification**: The library strives to maintain compliance with the [C2PA specification](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html) as much as possible, and the web components follow the [C2PA user experience guidance](https://c2pa.org/specifications/specifications/1.0/ux/UX_Recommendations.html) recommendations.
+- **Security and encryption**: The library handles all [validation](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_validation) via the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API) and passes any validation errors back to the client. It supports all ECDSA and RSASSA-PSS algorithms listed in the [C2PA specification](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html#_digital_signatures).
   :::caution
   The JavaScript library does not currently support Ed25519 signatures.
   :::caution
diff --git a/docs/manifest/understanding.md b/docs/manifest/understanding.md
@@ -54,4 +54,5 @@ The time-stamp is typically defined as part of the signing information. You can
 ## References
 
 - [JUMBF](https://www.iso.org/standard/84635.html): A framework for JPEG standards to add universal metadata, supplementary images, or other elements in addition to the base image.
-- [C2PA Technical Specification v2.2](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html)
+- [C2PA Technical Specification v2.2](https://c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification.html)
+
diff --git a/scripts/fetch-readme.js b/scripts/fetch-readme.js
@@ -142,6 +142,11 @@ const readmes = [
     repo: 'contentauth/c2pa-python',
     path: 'docs/release-notes.md',
   },
+  {
+    dest: resolve(__dirname, '../docs/c2pa-python/docs/examples.md'),
+    repo: 'contentauth/c2pa-python',
+    path: 'examples/README.md',
+  },
   {
     dest: resolve(__dirname, '../docs/c2pa-python-example/readme.md'),
     repo: 'contentauth/c2pa-python-example',
diff --git a/sidebars.js b/sidebars.js
@@ -197,6 +197,11 @@ const sidebars = {
               id: 'c2pa-python/docs/supported-formats',
               label: 'Supported media formats',
             },
+            {
+              type: 'doc',
+              id: 'c2pa-python/docs/examples',
+              label: 'Python example code',
+            },
             {
               type: 'doc',
               id: 'c2pa-python/docs/release-notes',
@@ -313,18 +318,18 @@ const sidebars = {
     {
       type: 'category',
       label: 'Durable Content Credentials',
-      link: { type: 'doc', id: 'durable-cr' },
+      link: { type: 'doc', id: 'durable-cr/index' },
       collapsed: true,
       items: [
         {
           type: 'doc',
           label: 'Watermarking and fingerprinting',
-          id: 'sb-algs',
+          id: 'durable-cr/sb-algs',
         },
         {
           type: 'category',
           label: 'TrustMark watermarking',
-          link: { type: 'doc', id: 'trustmark-intro' },
+          link: { type: 'doc', id: 'durable-cr/trustmark-intro' },
           collapsed: true,
           items: [
             {
@@ -359,7 +364,7 @@ const sidebars = {
             },
             {
               type: 'doc',
-              id: 'tm-faq',
+              id: 'durable-cr/tm-faq',
               label: 'FAQ',
             },
             {
