Adding Content Credentials(C2PA) to Audio Recordings Using SimpleC2PA.

Ngenge Senior
5 min readJan 18, 2024

C2PA stands for Coalition for Content Provenance and Authenticity which addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. C2PA is a Joint Development Foundation project, formed through an alliance between Adobe, Arm, Intel, Microsoft, and Truepic.

How do you determine that a photo you are viewing on the internet was captured or is AI-generated? How do you determine that at some point, it was edited before being shared online? Is this audio or video I am watching even real or AI-generated? It is hard to tell what is real these days and the Content Authenticity Initiative led by Adobe seeks to address these issues.

How Does C2PA Work?

Imagine this: you take a photo of the La Nouvele Liberté in Douala, edit it in Photoshop, and share it online. Someone else downloads your picture, modifies it further, and then posts it again. How do you track the evolution of this image, seeing what changes were made at each step? Here’s where C2PA comes in.

Capturing the Journey:

  • C2PA-enabled cameras and software can embed information like location, photographer, and device at the moment of capture. Think of it as tagging the moment of birth.
  • Editing software equipped with C2PA allows users to record the changes they make, like turning a sunny sky into a stormy one. It’s like documenting the photo’s life story. The editor has to opt-in to allow C2PA to capture the edits made.

Verifying the Story:

  • When you encounter a C2PA-tagged image(or media) online, an icon acts as a “truth detector.” Click it, and you’ll see the entire journey of the photo: from its birth through all edits.
  • Each step is cryptographically signed, like a secure digital fingerprint. It ensures the information hasn’t been tampered with, making C2PA more reliable than standard photo data (EXIF).

The Power of Transparency:

  • C2PA empowers viewers to judge the authenticity of media. You can see if a photo, video, audio or other media has been manipulated and understand its context better.
  • This transparency helps combat misinformation and fake news, ultimately building trust in the online world.

The Technical Part: Adding Dependencies to the Android Studio Project

The ProofMode team (which I am a part of) worked on compiling the C2PA Rust SDK to get it working on Android Kotlin, and iOS. Note that the main focus of this article is how to use the compiled Android version to integrate C2PA with audio files.

Start by adding the Simple C2PA Android dependency


As stated, C2PA works by embedding a manifest into the media file during capture or whenever an edit is made and the device, editing software is running C2PA.

Create Private Keys and Certificates for Signing C2PA Data

The first step starts with creating private keys and certificates using a sample Kotlin function as below.

The classes such as FileData, and Certificate, and methods like createPrivateKey and createCertificate are all from the Simple C2PA library. and we will use the keys and certificates to sign our captured audio file.

At the time of this writing, audio file support is only possible for .wav and m4a extensions.More extensions support will come as C2PA development progresses.

Adding Content Credentials to Captured Audio

To generate content credentials for the file, we need the input file and the output file to be generated(if you wish to replace the input file, the output file should be the same), and properties such as whether we want to allow machine learning training on our file or not, the fingerprint, email display and other app properties. Using the user certificate created in the function initCredentials, we create content credentials for the input file and add various assertions which are the actual content credentials. The assertions that can be added to content credentials include;

  • Email assertion
  • Machine learning assertion whether to restrict or permit machine learning on our resulting output file.
  • Exif assertion which includes data such as the device used, GPS coordinates, etc; is separate from the Exif data we have from Android, though it has similar attributes.
  • More assertions can be seen in the info.guardianproject.simple_c2pa.ContentCredentials class.

When the assertions have been added, call the function embedManifest of the ContentCredentials class passing the absolute file path of the output file. This is the most crucial step given that without calling this method, content credentials will not be added to the file. An implementation is shown below.

Before adding the various assertions, we verify if the user certificate already exists, and if it does not exist, we initialize it as shown in the above snippet, as it is the certificate we will use to create the content credentials object.

Given that the above source code uses a Java File object, given an audio file path, we use the file path to create the input file required and call the function above.

The generateContentCredentials method returns the resulting output audio file with C2PA embedded. We can simply use an Android Share Intent to save the resulting file and can use the content credentials verify tool to see the content credentials associated with this file.

The above source code is based on ProofMode Audio Recorder maintained by the ProofMode team. You can check this branch for the full source code.

The following screenshots show an audio file generated from ProofMode Audio Recorder which has been uploaded to the verify tool and the content credentials of the audio file.

Content credentials info of audio file.

As you can see, the verify tool shows details about who captured the media, their fingerprint, the location of capture, the device used, etc. You may also have seen the ‘This Content Credential was issued by an unknown source’ message in the screenshot above. This is happening due to the fact that the claim signing key and certificate used in this demo is self-signed, and not linked to any trusted root certificate authority. For some use cases, that is acceptable, in others maybe not. We will cover key and identity management within C2PA in another future post.

For more on the progress of C2PA, check the websites , , .

To learn more about all of the ways that ProofMode supports C2PA, please visit

Thank you and leave your thoughts in the comments.