Invalid Metadata When Using The Online Verify Tool

[deg4uss3r]

Hey team this may be related to #316 and/or contentauth/c2pa-rs#1413 but it's not quite the same error so I wanted to open a separate issue.

We have our cert (Fastly, Inc.) in the trust certificate as well as the original certificate in the chain (Adobe FireFly). The cli c2patool verifies successfully but the online tool does not and provides the following error:

This file may have been tampered with. Its Content Credentials can’t be verified or viewed.

output of c2patool:

~/Downloads
❯ c2patool --version
c2patool 0.23.4

~/Downloads
❯ c2patool ./5fc80d5a-f801-45c3-97a6-d300001dcaaa.jpeg
{
  "active_manifest": "urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb",
  "manifests": {
    "urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb": {
      "claim_generator": "fastly_image_optimizer c2pa-rs/0.45.3",
      "claim_generator_info": [],
      "format": "jpeg",
      "instance_id": "xmp:iid:75a85d97-814b-4152-a5e0-b15391c92b15",
      "ingredients": [
        {
          "title": "untitled",
          "format": "jpeg",
          "instance_id": "xmp:iid:e9cf8417-3651-48bc-aeea-a2eebb577458",
          "thumbnail": {
            "format": "image/jpeg",
            "identifier": "self#jumbf=/c2pa/urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf/c2pa.assertions/c2pa.thumbnail.claim.jpeg"
          },
          "relationship": "parentOf",
          "active_manifest": "urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf",
          "label": "c2pa.ingredient.v2"
        }
      ],
      "assertions": [
        {
          "label": "c2pa.actions.v2",
          "data": {
            "actions": [
              {
                "action": "c2pa.edited",
                "softwareAgent": "Fastly Image Optimizer"
              }
            ]
          }
        }
      ],
      "signature_info": {
        "alg": "Ed25519",
        "issuer": "Fastly, Inc.",
        "cert_serial_number": "587735718621470121135309630101826906260351599750"
      },
      "label": "urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb"
    },
    "urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf": {
      "claim_generator": "Adobe_Firefly adobe_c2pa/0.12.4 c2pa-rs/0.32.7",
      "title": "Generated image",
      "format": "image/jpeg",
      "instance_id": "xmp:iid:2b7ed4fa-6b97-4f43-bca8-94af79cc6ba8",
      "thumbnail": {
        "format": "image/jpeg",
        "identifier": "self#jumbf=/c2pa/urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf/c2pa.assertions/c2pa.thumbnail.claim.jpeg"
      },
      "ingredients": [
        {
          "title": "Reference Image",
          "format": "image/jpeg",
          "document_id": "xmp.iid:cac0d359-d539-4ea6-94c5-e8857cb6e042",
          "instance_id": "adobe:docid:stock:e5069241-9ad1-471b-873f-9b14b0c904ac",
          "relationship": "inputTo",
          "label": "c2pa.ingredient"
        }
      ],
      "assertions": [
        {
          "label": "c2pa.actions.v2",
          "data": {
            "actions": [
              {
                "action": "c2pa.created",
                "softwareAgent": "Adobe Firefly",
                "parameters": {
                  "com.adobe.firefly.operation": "style_zero",
                  "com.adobe.firefly.version": "3.1.0-release-firefly_3_1_0_main_23269.51664"
                },
                "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia"
              }
            ]
          }
        }
      ],
      "signature_info": {
        "alg": "Ps256",
        "issuer": "Adobe Inc.",
        "common_name": "Adobe Firefly C2PA",
        "cert_serial_number": "29273495282838142212252668466108829162",
        "time": "2025-06-02T16:36:58+00:00"
      },
      "label": "urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf"
    }
  },
  "validation_results": {
    "activeManifest": {
      "success": [
        {
          "code": "claimSignature.insideValidity",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.signature",
          "explanation": "claim signature valid"
        },
        {
          "code": "claimSignature.validated",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.signature",
          "explanation": "claim signature valid"
        },
        {
          "code": "assertion.hashedURI.match",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.assertions/c2pa.ingredient.v2",
          "explanation": "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.ingredient.v2"
        },
        {
          "code": "assertion.hashedURI.match",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.assertions/c2pa.actions",
          "explanation": "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.actions"
        },
        {
          "code": "assertion.hashedURI.match",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.assertions/c2pa.hash.data",
          "explanation": "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.hash.data"
        },
        {
          "code": "assertion.dataHash.match",
          "url": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.assertions/c2pa.hash.data",
          "explanation": "data hash valid"
        }
      ],
      "informational": [],
      "failure": []
    },
    "ingredientDeltas": [
      {
        "ingredientAssertionURI": "self#jumbf=/c2pa/urn:uuid:fc0a49c5-d060-4ff4-bdc5-9019373522fb/c2pa.assertions/c2pa.ingredient.v2",
        "validationDeltas": {
          "success": [
            {
              "code": "ingredient.manifest.validated",
              "url": "self#jumbf=/c2pa/urn:uuid:4a97f020-7cd8-4f17-a46e-dfa088e17bbf",
              "explanation": "ingredient hash matched"
            }
          ],
          "informational": [],
          "failure": []
        }
      }
    ]
  },
  "validation_state": "Valid"
}

File with c2pa metadata attached (if GitHub strips any metadata let me know and I can host this elsewhere):