Merge branch 'main' into add-learn

Author: crandmck

.github/workflows/update-schemas.yml

@@ -0,0 +1,101 @@
+name: Update schemas to latest
+on:
+  repository_dispatch:
+    types: [c2pa-rs-release]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-schemas:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Checkout json-manifest-reference repository
+        uses: actions/checkout@v5
+        with:
+          repository: contentauth/json-manifest-reference
+          path: ./json-manifest-reference
+
+      - name: Checkout c2pa-rs repository
+        uses: actions/checkout@v5
+        with:
+          repository: contentauth/c2pa-rs
+          path: ./c2pa-rs
+          fetch-depth: 0
+
+      - name: Get latest c2pa-rs version
+        working-directory: ./c2pa-rs
+        run: |
+          latest_tag=$(git tag -l "c2pa-v*" --sort=-v:refname | head -n 1)
+          echo "latest_tag=$latest_tag" >> $GITHUB_ENV
+          echo "$latest_tag"
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build schemas
+        working-directory: ./c2pa-rs
+        run: cargo run --bin export_schema
+
+      - name: Move new schemas into ./json-manifest-reference/_data
+        run: |
+          # We also rename the schemas to have an underscore in the filename instead of a dot to fix
+          # compatibility issues with Ruby/Jekyll.
+          for path in ./c2pa-rs/target/schema/*.schema.json; do
+            name=$(basename "$path")
+            new=${name/.schema/_schema}
+            cp "$path" "./json-manifest-reference/_data/$new"
+          done
+
+      - name: Check schemas for diff
+        id: diffs
+        working-directory: ./json-manifest-reference
+        run: |
+          if [ -n "$(git status --porcelain -- ./_data/)" ]; then
+            echo "diff=true" >> "$GITHUB_OUTPUT"
+            echo "true"
+          else
+            echo "diff=false" >> "$GITHUB_OUTPUT"
+            echo "false"
+          fi
+
+      - name: Install Ruby and build and cache dependencies
+        if: steps.diffs.outputs.diff == 'true'
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '2.7.4'
+          bundler-cache: true
+          working-directory: ./json-manifest-reference
+
+      - name: Build Jekyll
+        if: steps.diffs.outputs.diff == 'true'
+        working-directory: ./json-manifest-reference
+        run: bundle exec jekyll build
+
+      - name: Move new built schemas into ./docs/manifest/json-ref
+        if: steps.diffs.outputs.diff == 'true'
+        # TODO: ideally we don't hardcode these paths, but we need to sort out a fix in the docs
+        run: |
+          cp ./json-manifest-reference/_site/manifest-def.html ./docs/manifest/json-ref
+          cp ./json-manifest-reference/_site/reader.html ./docs/manifest/json-ref
+          cp ./json-manifest-reference/_site/settings.html ./docs/manifest/json-ref
+
+      - name: Send schema PR
+        if: steps.diffs.outputs.diff == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          title: 'docs(schema): update schemas to ${{ env.latest_tag }}'
+          body: 'Updates schemas to ${{ env.latest_tag }}.'
+          commit-message: 'docs(schema): update schemas to ${{ env.latest_tag }}'
+          branch: 'schema-${{ env.latest_tag }}'
+          add-paths: ./docs/manifest/json-ref/*
+          base: ${{ github.event.repository.default_branch }}

docs/community.md

@@ -7,28 +7,30 @@ The Content Authenticity Initiative has an active and growing community of devel
 
 ## GitHub
 
-All the open-source CAI code is hosted in GitHub in the [CAI GitHub organization](https://github.com/contentauth) and we welcome input in the form of issues and pull requests in the repositories:
+All the open-source CAI code is hosted in GitHub in the [CAI GitHub organization](https://github.com/contentauth):
 
 - **Rust Library**: [c2pa-rs](https://github.com/contentauth/c2pa-rs)
 - **CLI tool**: [c2patool](https://github.com/contentauth/c2patool)
-- **JavaScript library**: [c2pa-js](https://github.com/contentauth/c2pa-js)
-- **Prerelease libraries**: 
-  - [c2pa-python](https://github.com/contentauth/c2pa-python)
-  - [c2pa-node](https://github.com/contentauth/c2pa-node)
-  - [c2pa-c](https://github.com/contentauth/c2pa-c)
-- **JavaScript examples**: [c2pa-js-examples](https://github.com/contentauth/c2pa-js-examples)
+- **JavaScript library**: [c2pa-web](https://github.com/contentauth/c2pa-web)
+- **Python library**: [c2pa-python](https://github.com/contentauth/c2pa-python)
+- **Node.js library**: [c2pa-node](https://github.com/contentauth/c2pa-node-v2)
+- **C++ library**: [c2pa-c](https://github.com/contentauth/c2pa-c)
 
 If you think you've found a bug or want to request a feature, please open an issue in the appropriate repository.
 
 :::note
-Do not create a public GitHub issue for suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). 
+Do not create a public GitHub issue for **suspected security vulnerabilities**. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). 
 For more information on reporting security issues, see [SECURITY.md](https://github.com/contentauth/c2pa-rs/blob/main/SECURITY.md).
 :::
 
 We also welcome thoughtful pull requests (PRs) from the community, following the contribution guidelines provided out in each repository. The guidelines are generally the same for all the SDK repositories; for example. see the [c2pa-rs contribution guidelines](https://github.com/contentauth/c2pa-rs/blob/main/CONTRIBUTING.md).
 
 Participants are required to follow the [Adobe Code of Conduct](https://github.com/contentauth/c2pa-rs/blob/main/CODE_OF_CONDUCT.md) to maintain an open and welcoming environment for all.
 
+### Verify
+
+The code for the [C2PA Verify website](https://verify.contentauthenticity.org/) is open source.  For general information on using it, see [Using the Verify tool](verify.mdx).
+
 ### Related projects
 
 These related projects may be of interest, but the CAI team doesn't maintain or support them:
@@ -38,6 +40,10 @@ These related projects may be of interest, but the CAI team doesn't maintain or
 - [**TrustMark**](https://github.com/adobe/trustmark): Open-source Python implementation of watermarking for encoding, decoding and removing image watermarks. You can use TrustMark as part of providing [durable content credentials](durable-cr/index.md).
 - [**C2PA Security Testing Tool**](https://github.com/contentauth/c2pa-attacks): A CLI tool derived from [c2patool](https://github.com/contentauth/c2patool) that performs security testing on a Content Credentials application.  This tool is intended for use by software security professionals.
 
+## Browser extension
+
+The free [browser extension for Google Chrome](https://chromewebstore.google.com/detail/c2pa-content-credentials/mjkaocdlpjmphfkjndocehcdhbigaafp?hl=en) enables you to verify and display manifests for images, audio and videos which have C2PA Content Credentials.
+
 ## C2PA Foundations video course
 
 For a series of educational videos, see [C2PA Foundations: A Course for Implementers](http://learn.contentauthenticity.org/).

docs/getting-started.mdx

@@ -90,80 +90,23 @@ In practice, to use a certificate with the CAI SDK, follow this process:
 For more information on getting and using certificates, see [Signing and certificates](signing/index.md).
 :::
 
-### Verify known certificate list
+### Verify trust list
 
 import verify_unknown_source from '../static/img/verify-cc-unknown-source.png';
 
-The C2PA [Verify tool](https://verify.contentauthenticity.org) uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. The known certificate list applies only to [Verify](https://verify.contentauthenticity.org). For more information, see [Verify tool known certificate list](verify-known-cert-list)
+The C2PA [Verify tool](https://verify.contentauthenticity.org) uses a list of _known certificates_ (sometimes referred to as a "trust list") to determine whether a Content Credential was issued by a known source. Currently, it uses the [interim trust list](verify-known-cert-list) but it will be updated soon to use the official [C2PA trust list](conformance.mdx#c2pa-trust-lists).
 
 ## Identity
 
-To identify who created or modified an asset, identity needs to be verifiable and bound to an asset and its manifest store. The CAI SDK supports the [W3C verifiable credentials](https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html#_w3c_verifiable_credentials) standard recommendation (part of the C2PA v1.4 specification), but doesn't currently have a way to validate these credentials or ensure that they properly reflect authorship of the content. An actor can add one or more identities to a manifest using the W3C verifiable credentials data model. Currently, a verifier must trust the manifest signer to properly authenticate the identity.
-
-Identity can be bolstered with other kinds of evidence such as _Adobe connected accounts_. In the future, the identity credentials will be separately verifiable. In the future, these verifiable credentials will be strongly bound to the manifest and media and be independently verifiable.
-
-In addition to simply adding a name and organization, Adobe tools can use the [Connected Accounts service](https://connected-accounts.adobe.com/) to connect social media accounts such as Behance, Instagram, or Twitter to an identity in a manifest. This service uses OAuth, so a user must be able to log in to the account to connect it.
+To identify who created or modified an asset, identity needs to be verifiable and bound to an asset and its manifest store.
 
 :::info
-The [Creator Assertions Working Group (CAWG)](https://creator-assertions.github.io/) is developing a technical specification for an identity assertion for use in the C2PA ecosystem. CAI expects to adopt and implement this specification in the SDK at some point in the future.
+The [Creator Assertions Working Group (CAWG)](https://creator-assertions.github.io/) provides a technical specification for an identity assertion for use in the C2PA ecosystem. For more information, see [Reading CAWG identity assertions](manifest/reading/reading-cawg-id.md).
 :::
 
-## How to use the SDK
-
-The CAI open-source SDK consist of:
-
-- **C2PA Tool**, a command-line tool for working with manifests and media. This tool is a wrapper around the Rust SDK and provides most of the same capabilities that it does.
-- **Language-specific libraries** in C/C++, Python, Node.js and client JavaScript. NOTE: The C/C++, Python, Node.js libraries are prerelease versions whose APIs are subject to change.
-- **The Rust library** enables a desktop, mobile, or embedded application to create and sign manifests, embed manifests in certain file formats, and parse and validate manifests.
-
-Behind the scenes, C2PA Tool and language-specific libraries are built using the Rust library to ensure consistency.
-
-The following diagram provides a high-level view of how to use the open-source CAI SDK.
-
-<img src={cai_open_source} width="800" />
-
-Applications can use the CAI SDK in several different ways:
-
-- Web pages can use the JavaScript library to display Content Credentials.
-- Applications can "shell out" to call C2PA Tool directly.
-- Applications written in C++, Python, or Node.js can use the APIs of the corresponding language libraries to:
-  - Create, modify, and sign manifests.
-  - Embed manifests into media files.
-  - Parse and validate manifests.
-
-Similarly, applications written in many programming languages can use the Rust Foreign Function Interface to call the Rust API and perform those same functions.
-
-### Native desktop or mobile applications
-
-Applications written in C++, Python, or Node.js can use the corresponding prerelease library APIs. Applications written in any language call C2PA Tool directly, though doing so is not highly scalable.
-
-Alternatively, native applications can use Rust's _Foreign Function Interface_ (FFI) to call functions in the Rust library. The FFI enables interoperability between Rust and code written in other languages.
-
-Although the underlying technology of the Rust library supports all major programming languages, the bindings and APIs to make all of them workable and easy to use are still in development.
-
-A Windows application can use the FFI to call Rust functions from languages such as C++ or C#. For an example, see the [c2c2pa repository](https://github.com/contentauth/c2c2pa).
-
-An Android application can use JNI (Java Native Interface) to call Rust functions from Java or Kotlin code. This requires creating a shared library (a .so file) with Rust code that exposes functions with `#[no_mangle]` attribute and an `extern "C"` keyword. Java and Kotlin code can load and invoke the shared library using `System.loadLibrary()` and native methods.
-
-An iOS application can use the C-ABI (C Application Binary Interface) to call Rust functions from Swift or Objective-C code. This also requires creating a shared library (a .dylib file) with Rust code that exposes functions with `#[no_mangle]` attribute and `extern "C"` keyword. For a simple example, see [`lib.rs` in the c2c2pa repository](https://github.com/contentauth/c2c2pa/blob/main/src/lib.rs). Swift or Objective-C code can link and invoke the shared library using the `@_silgen_name` attribute and unsafe blocks.
-
-### Websites
-
-A website can serve web pages that use the JavaScript library to display manifest data using client JavaScript. The ability to create and sign manifests from JavaScript via [WebAssembly](https://webassembly.org/) is under consideration and may be released in the future.
-
-A server-side web application can create, modify, and sign claims (and view them) by:
-
-- Executing a shell command to invoke C2PA Tool. For an example, see the [c2patool Node.js service example](c2pa-service-example). While this approach works, it is not highly scalable.
-- Use the prerelease [Node.js](c2pa-node), [Python](c2pa-python), or [C++/C](c2pa-c) libraries.
-- Bind to the Rust library and use it, similarly to native applications.
-
-### Embedded applications
-
-An embedded application can use the Rust FFI (foreign function interface) to call Rust functions from languages such as C or C++, similarly to a native application.
-
-Embedded applications have unique constraints tied to the devices on which they run, including small memory footprint, low-powered hardware, intermittent network access, unique operating systems, or the lack of an operating system OS (running on bare metal). For these reasons, if you want to develop a CAI-enabled embedded application, please contact the CAI team directly.
+In addition, Adobe tools can use the [Connected Accounts service](https://connected-accounts.adobe.com/) to connect social media accounts such as Behance, Instagram, or Twitter to an identity in a manifest. This service uses OAuth, so a user must be able to log in to an Adobe account to connect it.
 
-## Attaching and storing the manifest
+## Attaching and storing manifest data
 
 Once you've generated a manifest, you must attach it to the asset for it to be useful.