In this report im using ziped jpg files to prevent github altering jpgs
ISSUE: C2PA tool does flag unauthorized modification of signed date/time. It does however flag this unauthorized modification if an additional modification is made.
REPRODUCE: Using c2pa tool with sample files that comes with it
Create the original test file
c2patool sample/image.jpg -m sample/test.json -o signed_image.jpgsigned_image.jpg.org.zip
With a HEX editor, find 20240622031551Z and update the to be a month in advance 20240722031551Zsigned_image.timestamp.jpg.zip
C2PA tool shows everything is fine
c2patool --info signed_image.jpg
Information for signed_image.jpg
Manifest store size = 73244 (54.26% of file size 134996)
Validated
One manifest
Manifest confirms the changed value of 07 instead of 06.
Next make another unauthorized change with hex editor:
Updated C2PA Test Signing Cert1.0 to C2PA Test Signing Cert2.0signed_image.zip
Bow BOTH (the timestamp and the claim signature mismatch) errors show up
c2patool --info signed_image.jpg
Information for signed_image.jpg
Manifest store size = 73244 (54.26% of file size 134996)
Validation issues:
timeStamp.mismatch
claimSignature.mismatch
One manifest
I investigated the claim in this article https://hackerfactor.com/blog/index.php?/archives/1031-C2PA-from-the-Attackers-Perspective.html
In this report im using ziped jpg files to prevent github altering jpgs
ISSUE: C2PA tool does flag unauthorized modification of signed date/time. It does however flag this unauthorized modification if an additional modification is made.
REPRODUCE: Using c2pa tool with sample files that comes with it
Create the original test file
c2patool sample/image.jpg -m sample/test.json -o signed_image.jpg
signed_image.jpg.org.zipWith a HEX editor, find
20240622031551Z
and update the to be a month in advance20240722031551Z
signed_image.timestamp.jpg.zipC2PA tool shows everything is fine
Manifest confirms the changed value of 07 instead of 06.
Next make another unauthorized change with hex editor:
Updated
signed_image.zip
C2PA Test Signing Cert1.0
toC2PA Test Signing Cert2.0
Bow BOTH (the timestamp and the claim signature mismatch) errors show up