C2PAtool does not return error when signing date is modified.

[YurkoWasHere]

I investigated the claim in this article https://hackerfactor.com/blog/index.php?/archives/1031-C2PA-from-the-Attackers-Perspective.html

In this report im using ziped jpg files to prevent github altering jpgs

ISSUE: C2PA tool does flag unauthorized modification of signed date/time. It does however flag this unauthorized modification if an additional modification is made.

REPRODUCE: Using c2pa tool with sample files that comes with it

Create the original test file c2patool sample/image.jpg -m sample/test.json -o signed_image.jpg signed_image.jpg.org.zip

With a HEX editor, find 20240622031551Z and update the to be a month in advance 20240722031551Z signed_image.timestamp.jpg.zip

C2PA tool shows everything is fine

c2patool --info signed_image.jpg
Information for signed_image.jpg
Manifest store size = 73244 (54.26% of file size 134996)
Validated
One manifest

Manifest confirms the changed value of 07 instead of 06.

      "signature_info": {
        "alg": "Ps256",
        "issuer": "C2PA Test Signing Cert",
        "cert_serial_number": "720724073027128164015125666832722375746636448153",
        "time": "2024-07-22T03:15:51+00:00"
      },

Next make another unauthorized change with hex editor:

Updated C2PA Test Signing Cert1.0 to C2PA Test Signing Cert2.0 signed_image.zip

Bow BOTH (the timestamp and the claim signature mismatch) errors show up

c2patool  --info signed_image.jpg
Information for signed_image.jpg
Manifest store size = 73244 (54.26% of file size 134996)
Validation issues:
   timeStamp.mismatch
   claimSignature.mismatch
One manifest

[YurkoWasHere]

note: contentcredentials.org also does not flag modified signing timestamps

[mauricefisher64]

This issue was addressed in the root SDK. I will update c2patool when we publish the fix.