Original Pictures
Certificate chain validating against the C2PA Trust List

What is the C2PA Trust List?

Definition: The C2PA Trust List is the registry of certificate authorities approved to issue X.509 certificates for C2PA claim signing, maintained under the C2PA Steering Committee and its conformance program.

TL;DR: A signature is only as meaningful as the certificate behind it. The Trust List tells a verifier which signers are recognized. A manifest signed by a not-yet-listed signer is still cryptographically valid and readable; it simply shows as issued by an unlisted signer until conformance completes.

What the Trust List does

When a verifier checks a manifest, it asks whether the signing certificate chains to a recognized authority. The Trust List is that recognized set, currently including authorities such as DigiCert, GlobalSign, and IdenTrust. Listing is the difference between "valid and recognized" and "valid but from an unlisted signer."

Conformance is a process, not a switch

Getting on the Trust List runs through the C2PA Conformance Program, which checks signing practice and key protection. It takes time. During that window a signer's manifests use the published format and verify cryptographically, but third-party validators flag the signer as not yet listed. Honest products say so rather than implying membership they do not hold.

Where Original Pictures sits

Original Pictures signs under a DigiCert-issued X.509 certificate and is progressing through the Conformance Program with a Q3 2026 target. Until that completes, our manifests read as cryptographically valid but issued by a not-yet-listed signer, and we describe it exactly that way.

The incident behind this

Nikon's certificate revocation on 21 September 2025 shows the Trust List working as designed: when a signing pipeline was found exploitable, the certificates were pulled, and verifiers stopped recognizing new signatures from it.

FAQ

Is an unlisted signature worthless?

No. It is cryptographically valid and readable by any C2PA-aware tool; it just is not yet recognized as a listed authority. The hash, signature, and timestamp all still verify.

How long does conformance take?

It varies with assurance level and review. Original Pictures targets Q3 2026 and will update its status publicly when it changes.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: The Trust List is the recognition layer for C2PA signers. Read it as the difference between recognized and unlisted, not between valid and invalid, and expect honest vendors to state their conformance status plainly.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.