C2PA Content Credentials · Offline verifier
Verify who made it.
Verify when.
Verify what.
Drag a file in. provcheck reads the embedded C2PA manifest, validates the signature, and shows you the receipt — signer, timestamp, tool, model, and the full chain of edits back to the source.
No account.·No upload.·No telemetry.
(hero-shot.png)
How it works
Three steps. No learning curve.
Step 01
Drop the file in
Drag any audio, image, or video onto the window — or pass it on the command line. No format conversion, no pre-processing.
Step 02
See the verdict
Verified (green) means the signature is cryptographically intact. Unsigned (amber) means there is no claim to verify. Not verified (red) means the file was tampered or malformed.
Step 03
Read the receipt
Signer identity. Signing time. Tool that produced it. AI model used, if any. Full edit chain. All custom claims — training provenance, creator identity, licence, EU AI Act statements.
Why this matters
Provenance exists. The tooling to check it does not.
C2PA is the open standard that lets creators attach cryptographically-signed provenance to files. Adobe, Microsoft, BBC, Leica, Nikon, and Sony camera lines already produce C2PA-signed content. AI tools are starting to as well.
Adobe's c2patool is a developer-oriented CLI. The main web verifier requires uploading your file to a server — unacceptable for sensitive content. There is no polished cross-platform desktop app anyone can recommend to a non-technical recipient. provcheck fills that gap. It works on any C2PA-signed content from any vendor — Photoshop exports, Leica captures, rAIdio.bot outputs, anything the standard covers.
What you get
One utility. Every signed format.
Fully offline
Files never touch a network. No account, no upload, no server. Run it air-gapped.
Any signed file, any vendor
Verifies C2PA content from Adobe, Leica, Nikon, Sony, the BBC, AI tools — anything that follows the standard.
Three states, plain language
Verified, Unsigned, or Not verified. Every failure mode has a human-readable reason — no cryptographer required.
Humans and pipelines
Desktop app for drag-and-drop. Matching CLI with JSON output for CI. Same core library drives both.
Apache-2.0, auditable
All source on GitHub. Fork it, audit it, reproduce the build. No telemetry, no binary blobs.
What we verified, not what we hid
provcheck reports the signer's identity from the certificate. Trust-list policy is yours to decide — the tool tells you the cryptographic truth.
Who it's for
Anyone who needs to know what a file is before they publish it.
- Journalists & fact-checkersVerify attribution on AI-generated or camera-sourced media before it ships.
- Archives & preservation institutionsDiscriminate signed from unsigned material at ingest. Infrastructure for long-term provenance.
- Platform trust & safety teamsEvaluate tooling-level provenance signals for the ingest pipeline.
- CreatorsConfirm your signed outputs survived the round-trip through export, conversion, upload, re-download.
- DevelopersIntegrate C2PA verification into pipelines via the JSON-output CLI mode.
- Everyone elseIf someone sends you a file with a receipt, you can now read it.
At ingest scale
Production pipelines, not a desktop utility.
The downloads on this site are the free consumer tool — one file at a time, on your own machine. If you run ingest at archive, platform, or publisher scale and need C2PA validation wired into your pipeline — batch throughput, queue integration, custom trust policy, audit logging, operational support — we design and run that too, as a commercial engagement.
Serious inquiries: info@creativemayhem.com.
Get it
Free. Open source. Works offline.
Windows 10+, macOS 12+, Linux x86_64. Apache-2.0. Single-binary install, no runtime dependencies.