Merge branch 'main' into manifest-tasks

Author: crandmck

.github/workflows/build-deploy.yaml

@@ -9,7 +9,7 @@ on:
     types: [opened, synchronize]
 jobs:
   build-deploy:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     defaults:
       run:
         working-directory: site

.gitignore

@@ -7,6 +7,8 @@
 # Generated files
 .docusaurus
 .cache-loader
+
+# External files loaded by fetch-readmes script
 /docs/js-sdk/api
 /docs/js-sdk/examples/*
 /docs/js-sdk/examples/*
@@ -22,6 +24,13 @@
 /docs/rust-sdk/*.md
 /docs/rust-sdk/docs/*.md
 /docs/**/readme.md
+/static/sb-alg-list.json
+/docs/trustmark/*.md
+/docs/trustmark/c2pa/*.md
+/docs/trustmark/js/*.md
+/docs/trustmark/python/*.md
+/docs/trustmark/rust/*.md
+/docs/trustmark/rust/crates/trustmark-cli/*.md
 
 # Misc
 .DS_Store

docs/c2pa-js/.gitkeep

@@ -29,13 +29,25 @@ We also welcome thoughtful pull requests (PRs) from the community, following the
 
 Participants are required to follow the [Adobe Code of Conduct](https://github.com/contentauth/c2pa-rs/blob/main/CODE_OF_CONDUCT.md) to maintain an open and welcoming environment for all.
 
+### Incubator projects
+
+:::warning Warning
+Incubator projects are still under active development and are not yet ready for general use.  However, input and bug reports are welcome in the GitHub repositories.
+:::
+
+These projects are in early alpha release:
+- [iOS Library](https://github.com/contentauth/c2pa-ios): Provides iOS/macOS support via Swift Package/XCFramework.
+- [Android Library](https://github.com/contentauth/c2pa-android): Provides native Android support via an AAR library.
+
+Both of these projects wrap the C2PA Rust implementation ([c2pa-rs](https://github.com/contentauth/c2pa-rs)) using its C API bindings.
+
 ### Related projects
 
 These related projects may be of interest, but the CAI team doesn't maintain or support them:
 
 - [**Drupal module**](https://github.com/contentauth/c2pa-drupal): Enables Drupal sites to process and display Content Credentials for supported image types.
 - [**DASH video player**](https://github.com/contentauth/dash.js/tree/c2pa-dash):  DASH video player that displays Content Credentials in browsers for supported media types. This repo/branch is a work-in-progress forked from [dash.js](https://github.com/Dash-Industry-Forum/dash.js), the canonical reference JavaScript implementation for the playback of MPEG DASH. 
-- [**TrustMark**](https://github.com/adobe/trustmark): Open-source Python implementation of watermarking for encoding, decoding and removing image watermarks.
+- [**TrustMark**](https://github.com/adobe/trustmark): Open-source Python implementation of watermarking for encoding, decoding and removing image watermarks. You can use TrustMark as part of providing [durable content credentials](durable-cr/index.md).
 - [**C2PA Security Testing Tool**](https://github.com/contentauth/c2pa-attacks): A CLI tool derived from [c2patool](https://github.com/contentauth/c2patool) that performs security testing on a Content Credentials application.  This tool is intended for use by software security professionals.
 
 ## Discussions on Discord

docs/community.md

@@ -0,0 +1,96 @@
+---
+id: conformance
+title: C2PA conformance program
+---
+
+The [C2PA conformance program](https://c2pa.org/conformance) was launched in mid-2025 to help ensure that products that read and create Content Credentials are compliant with the C2PA Content Credentials specification.
+
+The C2PA conformance program covers:
+
+- [Validator products](#validator-products) that read and validate Content Credentials.
+- [Generator products](#generator-products) that create Content Credentials and add them to a digital asset.
+- [Certificate authorities (CAs)](#certificate-authorities).
+
+:::info
+If you're developing a product that reads or creates Content Credentials, you can apply for the C2PA conformance program. If accepted, the product is added to the [conforming products list](https://github.com/c2pa-org/conformance-public/blob/main/conforming-products/conforming-products-list.json#L302), which indicates it is compliant with the C2PA Content Credentials specification.
+
+**To start the process, fill out C2PA's [expression of interest form](https://docs.google.com/forms/d/e/1FAIpQLScERZH5rKfoeSu3y6gGbkllkyeAhmF0G-kXS0eXpb2vR238Rg/viewform).**
+:::
+
+When you apply to the conformance program, you will:
+
+- Sign a legal agreement with the C2PA.
+- Provide evidence supporting your application such as diagrams and documentation.
+- Work with the conformance program staff to resolve any questions.
+
+## Products
+
+### Validator products
+
+A _validator product_ can read and validate a manifest store for a digital asset.
+A conforming validator product produces correct validation results according to the C2PA Content Credentials specification.
+
+For more information, see [C2PA Conformance Program Documents](https://github.com/c2pa-org/conformance-public/tree/main/docs/current), specifically
+[C2PA conformance program - section 6.1.1, Validator Product Specification Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf).
+
+### Generator products
+
+A _generator product_ can generate manifest data for a digital asset. A conforming generator product produces manifest data that conforms to the C2PA Content Credentials specification, creates assertions in the asset's active manifest and signs a claim using a valid X.509 certificate on the C2PA trust list.
+
+For more information, see [C2PA Conformance Program Documents](https://github.com/c2pa-org/conformance-public/tree/main/docs/current), specifically:
+
+- [C2PA conformance program - section 6.1.1, Generator Product Specification Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Conformance%20Program.pdf)
+- [C2PA Generator Product Security
+  Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Generator%20Product%20Security%20Requirements.pdf)
+
+#### Preliminary certificate check
+
+To confirm all the settings in your signing certificate, you can follow the [preliminary certificate check](trust-list.mdx#checking-your-certificate) for the interim trust list to help ensure everything is as expected.
+
+#### Security requirements
+
+When you apply to the conformance program, you must fill out the information required in the **product security architecture template** in Appendix C of the [C2PA Generator Product Security
+Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Generator%20Product%20Security%20Requirements.pdf), providing details on:
+
+- The organization submitting the application.
+- The product, its capabilities, and the systems it uses or relies upon.
+- The product's security architecture, including methods for key generation and storage, and protections against various kinds of misconfiguration, abuse, and exploitations.
+
+### Assurance levels
+
+A conforming product's _assurance level_ indicates the level of confidence that claims it signs reflect its intended behavior. A higher assurance level indicates a greater level of confidence. Currently, the conformance program has two assurance levels: level 1 and level 2:
+
+- [C2PA Generator Product Security
+  Requirements](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Generator%20Product%20Security%20Requirements.pdf) details the security requirements for each assurance level.
+- [C2PA certificate policy - Appendix A](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) details the requirements for claim signing certificates for each assurance level.
+
+The assurance level is encoded as the value of a custom X.509 v3 certificate extension in the product's claim signing certificate. The C2PA defines the _max assurance level_ of a generator product based on the security attributes of its overall implementation architecture. The assurance level in the certificate issued to a particular instance of a conforming generator product may be lower than the max assurance level.
+
+## Certificate authorities
+
+The [C2PA certificate policy](https://github.com/c2pa-org/conformance-public/blob/main/docs/current/C2PA%20Certificate%20Policy.pdf) specifies requirements for certificate authorities (CAs) that issue claim signing certificates for use by generator products, and the requirements that those products have to meet when using the certificates.
+
+CAs on the C2PA trust list can issue certificates to conforming generator products under the C2PA conformance program.
+
+## C2PA trust lists
+
+C2PA maintains two trust lists:
+
+- [**C2PA trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue certificates to conforming generator products under the C2PA Certificate Policy.
+- [**C2PA time-stamping authority (TSA) trust list**](https://github.com/c2pa-org/conformance-public/blob/main/trust-list/C2PA-TSA-TRUST-LIST.pem): A list of X.509 certificate trust anchors (either root or subordinate certification authorities) that issue time-stamp signing certificates to TSAs.
+
+### Interim trust list retirement
+
+With the introduction of the C2PA trust list, the existing [interim (temporary) trust list](trust-list.mdx) is being retired on the following timeline:
+
+- **Through December 31, 2025**: The [interim trust list](trust-list.mdx) will remain operational. During this time:
+  - The [Verify site](https://contentcredentials.org/verify) will continue to display manifests signed by certificates on the interim trust list as trusted, but with a disclaimer that the manifests were made with an older version of the trust model.
+  - New certificates will continue to be added to the interim trust list when requested.
+  - Product developers are strongly encouraged to apply to the C2PA conformance program and use the official C2PA trust list.
+- **On January 1, 2026**: The interim trust list will be frozen:
+  - No new certificates will be added to the list, and no updates will be made.
+  - Existing certificates will remain valid for legacy support.
+
+Eventually, the certificates on the interim trust list will expire and will not be usable for signing. However, if content was signed during the certificate's validity period, the content will always be considered valid against the legacy trust model.
+
+Validator products are encouraged to begin distinguishing between Content Credentials signed with certificates on the interim trust list (typically tied to Content Credentials specification version version 1.4) and those from conforming products using the official C2PA trust list.

docs/conformance.mdx

@@ -0,0 +1,14 @@
+---
+id: index
+title: Durable Content Credentials
+---
+
+[_Durable Content Credentials_](https://contentauthenticity.org/blog/durable-content-credentials) is a concept that helps content provenance to persist across content platforms by using C2PA manifest data in conjunction with:
+
+- **Invisible watermarks**, actively inserted into the content.
+- **Content fingerprints**, passively computed from the content.
+
+Platforms that host media assets might remove C2PA manifest data, if, for example, they use software that does not yet support the standard. If a copy of the manifest data is stored in an online database, you can use a watermark or a fingerprint to find it again.
+Combining both watermarks and fingerprints further improves the robustness of the provenance information.
+
+The C2PA specification refers to watermarking and content fingerprinting as [soft bindings](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_soft_bindings), and requires that they be generated using one of the approved [Watermarking and fingerprinting algorithms](soft-bindings.mdx).

docs/durable-cr/index.md

@@ -0,0 +1,15 @@
+---
+id: sb-algs
+title: Watermarking and fingerprinting algorithms
+hide_table_of_contents: true
+---
+
+The C2PA specification refers to watermarking and content fingerprinting as [soft bindings](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_soft_bindings), which can be used to find digital content, even if the underlying bits differ. The C2PA specification requires that soft bindings be generated using one of the [algorithms](https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_soft_binding_algorithm_list) approved by the C2PA Technical Working Group.
+
+:::note
+The table below is provided **for convenience only** and is created and automatically updated based on data from the [C2PA Soft Binding Algorithm List](https://github.com/c2pa-org/softbinding-algorithm-list/blob/main/softbinding-algorithm-list.json), which is the single authoritative source of the information.
+:::
+
+import JSONToTable from '@site/src/components/JSONToTable';
+
+<JSONToTable />

docs/durable-cr/soft-bindings.mdx

@@ -0,0 +1,52 @@
+---
+id: tm-faq
+title: TrustMark FAQ
+hide_table_of_contents: true
+---
+
+- [General Usage and Adoption](#general-usage-and-adoption)
+  - [What is TrustMark?](#what-is-trustmark)
+  - [How does TrustMark compare to traditional visible watermarks?](#how-does-trustmark-compare-to-traditional-visible-watermarks)
+  - [What is this software?](#what-is-this-software)
+  - [Can I integrate TrustMark into my own application?](#can-i-integrate-trustmark-into-my-own-application)
+  - [Can I use TrustMark in commercial projects?](#can-i-use-trustmark-in-commercial-projects)
+  - [Why would I want to make an image identifiable using TrustMark?](#why-would-i-want-to-make-an-image-identifiable-using-trustmark)
+  - [Can TrustMark be embedded in any images, including those generated by AI?](#can-trustmark-be-embedded-in-any-images-including-those-generated-by-ai)
+  - [How does TrustMark align with provenance standards such as the C2PA?](#how-does-trustmark-align-with-provenance-standards-such-as-the-c2pa)
+  - [Does TrustMark alter metadata or EXIF information?](#does-trustmark-alter-metadata-or-exif-information)
+- [Technical Details](#technical-details)
+  - [Does TrustMark support my image format?](#does-trustmark-support-my-image-format)
+  - [Does TrustMark work on grayscale images?](#does-trustmark-work-on-grayscale-images)
+  - [How fast is TrustMark?](#how-fast-is-trustmark)
+  - [What are the image resolution limits of TrustMark?](#what-are-the-image-resolution-limits-of-trustmark)
+  - [How robust is TrustMark?](#how-robust-is-trustmark)
+  - [Can I print TrustMark?](#can-i-print-trustmark)
+  - [Can TrustMark be embedded in vector graphics?](#can-trustmark-be-embedded-in-vector-graphics)
+  - [What dataset was TrustMark trained on?](#what-dataset-was-trustmark-trained-on)
+  - [What happens if I apply TrustMark to an already watermarked image?](#what-happens-if-i-apply-trustmark-to-an-already-watermarked-image)
+  - [How does TrustMark compare to State of the Art Watermarking approaches](#how-does-trustmark-compare-to-state-of-the-art-watermarking-approaches)
+  - [Can TrustMark co-exist with other watermarks?](#can-trustmark-co-exist-with-other-watermarks)
+- [Configuration](#configuration)
+  - [Which variant of TrustMark should I use?](#which-variant-of-trustmark-should-i-use)
+  - [How can I trade off between robustness and capacity?](#how-can-i-trade-off-between-robustness-and-capacity)
+  - [How can I trade off between robustness and quality?](#how-can-i-trade-off-between-robustness-and-quality)
+  - [Can I control where the watermark is embedded in an image?](#can-i-control-where-the-watermark-is-embedded-in-an-image)
+  - [Does TrustMark affect the file size of an image?](#does-trustmark-affect-the-file-size-of-an-image)
+- [Security and Privacy](#security-and-privacy)
+  - [Can TrustMark be removed?](#can-trustmark-be-removed)
+  - [Can TrustMark be used to track users or infringe on privacy?](#can-trustmark-be-used-to-track-users-or-infringe-on-privacy)
+  - [Can TrustMark be used to secretly mark images without user consent?](#can-trustmark-be-used-to-secretly-mark-images-without-user-consent)
+  - [Is TrustMark steganographic watermarking?](#is-trustmark-steganographic-watermarking)
+  - [Why release removal code?](#why-release-removal-code)
+  - [Does TrustMark interfere with other AI or image processing tasks like object detection?](#does-trustmark-interfere-with-other-ai-or-image-processing-tasks-like-object-detection)
+  - [Can TrustMark be used to detect image manipulation?](#can-trustmark-be-used-to-detect-image-manipulation)
+  - [Can TrustMark be transferred from one image to another?](#can-trustmark-be-transferred-from-one-image-to-another)
+  - [What stops someone from spoofing a TrustMark?](#what-stops-someone-from-spoofing-a-trustmark)
+- [Future Developments](#future-developments)
+  - [Will TrustMark support other media types like video?](#will-trustmark-support-other-media-types-like-video)
+  - [Is TrustMark compatible with blockchain technology?](#is-trustmark-compatible-with-blockchain-technology)
+  - [Can TrustMark be used for NFT provenance?](#can-trustmark-be-used-for-nft-provenance)
+
+import Faq from '../trustmark/FAQ.md';
+
+<Faq name="faq" />

docs/durable-cr/trustmark-faq.mdx

@@ -0,0 +1,36 @@
+---
+id: trustmark-intro
+title: TrustMark watermarking
+---
+
+TrustMark is an open-source universal watermarking system for images that:  
+
+- Can encode, decode, and remove watermarks from images.
+- Works with arbitrary resolution images.
+- Has implementations in Python (using PyTorch), [Rust](trustmark/rust/README.md), and [JavaScript](trustmark/js/README.md) (both using ONNX).
+
+:::info
+For full technical details and help getting started with TrustMark, see [TrustMark - Overview](trustmark/README.md).
+:::
+
+## Variants
+
+TrustMark has three primary model variants, each with different characteristics.
+
+Images encoded with one variant cannot be decoded with another variant, so you need to stick with the same variant throughout your pipeline.
+
+- **Variant Q (Default)** Use in most cases, where you want a good balance between robustness and imperceptibility.  PSNR is 43-45 dB. 
+- **Variant P** - Use when image quality is the top priority. PSNR is 48-50 dB.
+- **Variant C (Compact)** - Use if you need to minimize model size and can live with slightly lower visual quality. PSNR is 38-39 dB.
+
+The general recommendation is to use either:
+- Variant Q for most use cases.
+- Variant P when visual quality is paramount.
+
+## About PSNR
+
+PSNR (Peak Signal-to-Noise Ratio) is a measure of image quality when comparing an original image to the watermarked image. PSNR is measured in decibels (dB), with higher values indicating better quality:
+- Values around 45+ dB typically indicate very good quality.
+- Values around 40 dB indicate acceptable quality.
+- Values below 30 dB indicate poor quality, unacceptable for most uses.
+