feat: Content Provenance experiment (C2PA 2.3 §A.7 text authentication)

[erik-sv]

Changes since last review

• Rebased onto latest develop (includes Add modern wp-build DataForm route for AI settings page #340 and Use toggle UI, auto-save, and inline DataForm settings for experiments #376, the DataForm settings architecture)
• Migrated settings to get_settings_fields() for the new DataForm-based settings page. Removed ~250 lines of render_settings_fields() PHP/HTML/JS. All 8 settings registered with show_in_rest and proper REST API schemas.
• Generalized Connected tier from Encypher-specific to provider-agnostic. UI labels, descriptions, and docblocks now reference "CA-verified provider." Added KNOWN_PROVIDERS constant as a maintained registry of compatible signing services.
• Fixed sidebar UX: dynamic tier-aware notice ("Will be signed with [local key / CA-verified provider / publisher certificate]"), badge alignment, section spacing
• Fixed auto-sign bug: content published before experiment activation would auto-sign on editor refresh without content changes. Added content hash guard.
• Fixed frontend badge: show_badge option defaulting to false on fresh installs, wired up CSS enqueue
• API key masking in REST responses so the DataForm settings page never exposes raw keys
• 192 tests, 447 assertions passing (1 pre-existing failure in test_enqueue_assets_runs_on_post_screen, unrelated)

---

Summary

Adds a Content Provenance experiment that embeds cryptographic C2PA 2.3 section A.7 manifests into post content as invisible Unicode variation selectors. Publishers can prove authorship, detect tampering, and participate in the content authenticity ecosystem used by Google, BBC, Adobe, OpenAI, and Microsoft.

What this adds

Content Provenance experiment

• Auto-signs posts on publish/update with c2pa.created / c2pa.edited actions and provenance-chain ingredient references
• Content hash guard prevents phantom re-signing when the editor autosaves or the REST API re-saves an already-published post
• Three signing tiers: Local (zero setup, self-signed), Connected (CA-verified provider), BYOK (publisher's own certificate)
• c2pa/sign and c2pa/verify Abilities via wp_do_ability()
• Gutenberg sidebar panel with 5-state shield badge (verified / local-signed / modified / tampered / unsigned) and one-click sign/verify
• /.well-known/c2pa discovery endpoint per C2PA section 6.4
• Optional frontend verification badge on public posts
• Declarative settings fields for the DataForm architecture with REST API exposure

C2PA protocol layer (pure PHP, no external dependencies)

• CBOR encoder (RFC 8949)
• COSE_Sign1 builder and verifier (RFC 9052)
• JUMBF reader and writer (ISO 19566-5)
• Claim builder conforming to C2PA 2.4 assertion and claim structures

Post signing flow

flowchart TD
    A[Post Published or Updated] --> B{Content Provenance enabled?}
    B -->|No| Z[Skip]
    B -->|Yes| C{Already signed + unchanged?}
    C -->|Yes| Z
    C -->|No| D[Strip HTML to plain text]
    D --> E[Build C2PA Manifest]
    E --> E1[c2pa.actions.v2]
    E --> E2[c2pa.hash.data.v2 SHA-256]
    E --> E3[c2pa.ingredient.v2 edit chain]
    E1 & E2 & E3 --> F{Signing tier}
    F -->|Local| G[EC P-256 self-signed via OpenSSL]
    F -->|Connected| H[POST to CA-verified provider API]
    F -->|BYOK| I[Publisher certificate PEM file]
    G & H & I --> J[Unicode Embedder: VS1-VS256 invisible bytes]
    J --> K[wp_update_post with embedded content]
    K --> L[Store post meta + content hash]
    L --> M[Gutenberg sidebar badge updates]

Loading

Signing tiers

Tier	Trust model	Setup required	On C2PA trust list
Local	Self-signed EC P-256, stored in site options	None	No (yellow badge)
Connected	Delegated to CA-verified provider	Service URL + API key	Yes (green badge)
BYOK	Publisher's own certificate	PEM file path	Yes (green badge)

The Connected tier is provider-agnostic. Connected_Signer::KNOWN_PROVIDERS maintains a registry of compatible services. Any CA-verified signing provider with a compatible API can be used.

WordPress Abilities API

// Sign any text
$result = wp_do_ability( 'c2pa/sign', [
    'text'   => 'The content to sign',
    'action' => 'c2pa.created',  // or c2pa.edited
] );
// $result['signed_text'] -- Unicode-embedded provenance
// $result['manifest']    -- full C2PA JSON manifest
// $result['signer_tier'] -- local | connected | byok

// Verify any text
$result = wp_do_ability( 'c2pa/verify', [
    'text' => $post->post_content,
] );
// $result['verified'] -- bool
// $result['status']   -- verified | unsigned | tampered | modified
// $result['manifest'] -- parsed manifest array if present

Codebase composition

Category	Lines	%	Notes
Tests	~3,337	42%	192 tests across all components
C2PA protocol layer	~1,812	23%	CBOR, COSE, JUMBF, Claim Builder
Backend (settings, REST, badge, pipeline)	~1,542	19%	Shared infrastructure for all tiers
Signing method implementations	~795	10%	Local, Connected, BYOK strategy classes
UI (sidebar panel, SCSS, webpack)	~479	6%	Single sidebar panel for all tiers

Files

File	Description
Experiment core
includes/.../Content_Provenance.php	Main experiment class, settings, signing pipeline
includes/.../Verification_Badge.php	Frontend badge rendering + CSS enqueue
includes/.../Well_Known_Handler.php	/.well-known/c2pa discovery endpoint
includes/.../C2PA_Manifest_Builder.php	Manifest construction and verification
includes/.../Unicode_Embedder.php	VS1-VS256 embed/extract/strip
C2PA protocol layer
includes/.../C2PA/CBOR_Encoder.php	RFC 8949 CBOR encoder
includes/.../C2PA/COSE_Sign1_Builder.php	RFC 9052 COSE_Sign1 signing
includes/.../C2PA/COSE_Sign1_Verifier.php	COSE_Sign1 signature verification
includes/.../C2PA/Claim_Builder.php	C2PA 2.4 claim and assertion builder
includes/.../C2PA/JUMBF_Reader.php	ISO 19566-5 JUMBF parser
includes/.../C2PA/JUMBF_Writer.php	ISO 19566-5 JUMBF serializer
Signing methods
includes/.../Signing/Signing_Interface.php	Signer contract
includes/.../Signing/Local_Signer.php	Self-signed EC P-256 tier
includes/.../Signing/Connected_Signer.php	CA-verified provider tier + KNOWN_PROVIDERS
includes/.../Signing/BYOK_Signer.php	Publisher certificate tier
Abilities
includes/Abilities/.../C2PA_Sign.php	c2pa/sign Ability
includes/Abilities/.../C2PA_Verify.php	c2pa/verify Ability
UI
src/experiments/content-provenance/index.js	Gutenberg sidebar panel
src/experiments/content-provenance/index.scss	Sidebar styles
src/experiments/content-provenance/frontend.scss	Frontend badge styles
webpack.config.js	Entry points for experiment JS/CSS
Tests (192 tests, 447 assertions)
tests/.../Content_ProvenanceTest.php	Main class integration tests
tests/.../Verification_BadgeTest.php	Badge rendering tests
tests/.../Well_Known_HandlerTest.php	Discovery endpoint tests
tests/.../Unicode_EmbedderTest.php	Embed/extract/strip tests
tests/.../C2PA/CBOR_EncoderTest.php	CBOR encoding tests
tests/.../C2PA/COSE_Sign1_BuilderTest.php	COSE signing tests
tests/.../C2PA/COSE_Sign1_VerifierTest.php	COSE verification tests
tests/.../C2PA/Claim_BuilderTest.php	Claim structure tests
tests/.../C2PA/C2PA_ConformanceTest.php	Spec conformance tests
tests/.../C2PA/JUMBF_ReaderTest.php	JUMBF parsing tests
tests/.../C2PA/JUMBF_WriterTest.php	JUMBF serialization tests
tests/.../Signing/Local_SignerTest.php	Local signing tests
tests/.../Signing/Connected_SignerTest.php	Connected signing tests
tests/.../Signing/BYOK_SignerTest.php	BYOK signing tests

Test plan

• Run vendor/bin/phpunit --filter Content_Provenance (192 tests pass)
• Activate experiment, publish a post, verify _c2pa_manifest meta is set
• Edit a signed post, confirm c2pa.edited action + ingredient reference to previous manifest
• Refresh editor on a signed post without editing, confirm it does not re-sign (content hash guard)
• Call wp_do_ability('c2pa/sign', ['text' => 'hello']) in wp shell, returns signed text
• Call wp_do_ability('c2pa/verify', ['text' => $signed]), returns verified: true
• Visit /.well-known/c2pa, returns valid JSON discovery document
• Tamper with post content in DB, verify badge shows tampered status
• Verify sidebar shows dynamic tier notice matching the configured signing tier
• Verify settings fields appear in the DataForm settings page under Content Provenance
• Verify API key is masked in REST API response (/wp/v2/settings)

Related

• C2PA 2.3 specification, section A.7: Text Manifests
• Coalition for Content Provenance and Authenticity: Google, BBC, Adobe, OpenAI, Microsoft, AP, Reuters

[codecov]

Codecov Report

❌ Patch coverage is 81.59383% with 358 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.81%. Comparing base (bff4c86) to head (14007a3).
⚠️ Report is 3 commits behind head on develop.

Files with missing lines	Patch %	Lines
...eriments/Content_Provenance/Content_Provenance.php	80.84%	114 Missing ⚠️
...ments/Content_Provenance/C2PA_Manifest_Builder.php	55.88%	45 Missing ⚠️
...ts/Content_Provenance/C2PA/COSE_Sign1_Verifier.php	73.80%	44 Missing ⚠️
...riments/Content_Provenance/Signing/BYOK_Signer.php	70.00%	36 Missing ⚠️
...iments/Content_Provenance/Signing/Local_Signer.php	77.00%	23 Missing ⚠️
includes/Asset_Loader.php	51.35%	18 Missing ⚠️
...periments/Content_Provenance/C2PA/JUMBF_Reader.php	83.82%	11 Missing ⚠️
...eriments/Content_Provenance/Verification_Badge.php	87.50%	11 Missing ⚠️
...ncludes/Abilities/Content_Provenance/C2PA_Sign.php	89.58%	10 Missing ⚠️
...periments/Content_Provenance/C2PA/CBOR_Encoder.php	90.00%	10 Missing ⚠️
... and 8 more

Additional details and impacted files

@@              Coverage Diff              @@
##             develop     #294      +/-   ##
=============================================
+ Coverage      68.52%   71.81%   +3.28%     
- Complexity       958     1398     +440     
=============================================
  Files             60       77      +17     
  Lines           4861     6744    +1883     
=============================================
+ Hits            3331     4843    +1512     
- Misses          1530     1901     +371     

Flag	Coverage Δ
unit	71.81% <81.59%> (+3.28%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[erik-sv]

Plugin Check failure appears to be pre-existing on trunk, happy to investigate if needed.

[jeffpaul]

@erik-sv mind updating to branch from develop?

Separately, @dkotter and I have been exploring this sort of work for some time (see 10up/classifai#652) and am curious how your work here might overlap/relate to media content (and whether you'd consider also helping on that front in this plugin)?

[erik-sv]

@erik-sv mind updating to branch from develop?

Separately, @dkotter and I have been exploring this sort of work for some time (see 10up/classifai#652) and am curious how your work here might overlap/relate to media content (and whether you'd consider also helping on that front in this plugin)?

Hi @jeffpaul, just moved to the develop branch (thanks for the tips, James LePage just directed me here so I'm new). I'm the co-chair for C2PA's text task force and wrote their spec here so I am very familiar with content provenance technology. Also the CEO of Encypher . Happy to help integration efforts.

I actually have two other PRs for this repo that I have in mind but I didn't want to overwhelm you all with code. Happy to put them up for your review:

1. AI Content Provenance: hooks into the existing experiment output filters (Title Generation, Excerpt Generation, etc.) so that when WordPress AI generates content, provenance metadata records that fact. This implements a "digital nutrition label" for content, as touched on in 10up/classifai#652
2. Image Provenance with CDN Continuity: directly addresses the problem where CDNs strip metadata during image transforms. We built a provenance sidecar indexed by perceptual hash that makes the original C2PA manifest retrievable even after aggressive CDN transforms, with edge worker implementations for Cloudflare, Fastly, and CloudFront. For text, we've already solved this CDN survival problem.

Let me know if you have any feedback on this PR or would like me to submit the other two PRs. In regards to the 10up repo, we have developed ways to do exactly what you require for images and text content. One caveat is that to display the CR logo overlay, you need to go through the C2PA compliance program.

[jeffpaul]

Let me know if you have any feedback on this PR or would like me to submit the other two PRs.

I'll defer to @dkotter for code review on this PR, once you pull it out of Draft state.

Otherwise, additional PRs would be amazing, thanks!

One caveat is that to display the CR logo overlay, you need to go through the C2PA compliance program.

Is that required per site leveraging this WordPress AI plugin or could "we" (either the WordPress AI team, or the WordPress.org project itself) go through that on behalf of every WordPress site leveraging this plugin?

[Jameswlepage]

Is that required per site leveraging this WordPress AI plugin or could "we" (either the WordPress AI team, or the WordPress.org project itself) go through that on behalf of every WordPress site leveraging this plugin?

Interested in this one as well. If the project were to get closer to the protocol, it feels like an audited plugin could work for the universe of sites that the CMS enables.

[erik-sv]

@jeffpaul @Jameswlepage Great questions, let me break this down into the two separate pieces: conformance and signing identity/trust.

To directly answer your question @jeffpaul yes, the WordPress AI team or WordPress.org project can absolutely go through conformance and serve as the signing identity on behalf of every WordPress site. That's the lowest-friction path and follows the same model as Adobe, Microsoft, and the camera manufacturers. The BYOK option remains available for users who need their own organizational identity on the manifest, and you can do both:

Conformance Program

The C2PA conformance program operates at the implementation level, not per-site. So the WordPress AI plugin (or the WordPress.org project itself) would go through conformance once on behalf of every site using the plugin. Happy to help with that process once the implementation is substantially complete.

Signing Identity & Trust

This is the more interesting question. For signatures to show as trusted in C2PA-aware applications (browsers, social platforms, search engines), the signing certificate needs to chain to the C2PA Trust List. There are a few options here, and they're not mutually exclusive:

Option 1: WordPress as the signing identity (recommended starting point)

WordPress operates a centralized signing service and holds a trusted certificate, similar to how Adobe signs content from Photoshop and camera manufacturers (Nikon, Sony, Leica) sign photos under their brand. Every site using the plugin would sign through this service via the Connected tier already in this PR.

• Pros: Zero setup for users, single conformance + trust list application, broadest coverage
• Cons: The signature asserts "published via WordPress" not "published by example.com", WordPress.org takes on trust responsibility for everything signed through the service

Option 2: Publisher BYOK (organizational identity)

Individual users obtain their own certificate from a CA on the trust list and configure it via the BYOK tier in this PR. The manifest would say "published by XYZ Press" or "published by example.com."

• Pros: User-level attribution, each org controls their own identity
• Cons: Higher friction, requires each publisher to independently obtain a trusted cert

Option 3: Hybrid (Option 1 + 2 recommended)

WordPress serves as the default signing identity out of the box, while users who want organizational attribution can override with BYOK. This is probably the right long-term answer, it gives every WordPress site provenance by default while letting orgs that care about brand-level attestation bring their own identity.

---

Let me know which direction feels right and I can adjust the implementation accordingly.

[jeffpaul]

Option 2 is almost certainly a non-starter for the majority (or at least statistically significant) of WordPress installs. Thus going with Option 3 to allow flexibility for sites, especially enterprise installs or publishers, to be able to use BYOK seems most optimal.

[jeffpaul]

@erik-sv any ETA on getting a PR out of draft and ready for review here? I'd love to see us get this stable and into the plugin before the WordPress 7.0 launch on April 9th, which would likely mean getting the PR ready for review/testing by sometime next week.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @lnispel.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: lnispel.

Co-authored-by: erik-sv <encypher@git.wordpress.org>
Co-authored-by: dkotter <dkotter@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: Jameswlepage <isotropic@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[erik-sv]

Both PRs are now rebased onto latest develop (0.6.0) and moved out of draft:

What changed in this rebase:

• Ported from Abstract_Experiment → Abstract_Feature API (static get_id(), load_metadata(), get_stability())
• Registration via Experiments::EXPERIMENT_CLASSES instead of the old Experiment_Loader
• All option names now use the wpai_feature_* convention
• Added Well_Known_Handler test coverage (was at 0%)
• Fixed namespace mismatches in test files for PSR-4 compliance
• Fixed duplicate PHPDoc block and stale phpcs:ignore comment
• Updated developer docs for new hook names (wpai_register_features, wpai_feature_content-provenance_enabled)

PR #302 (Image Provenance + CDN) builds on top of this PR with the same API port applied.

Ready for @dkotter's code review — aiming to be stable well before the April 9th WP 7.0 window.

[erik-sv]

Update: Native C2PA signing + ingredient chains + sidebar fix

Two commits pushed since the last update:

feat: implement native C2PA signing with JUMBF/COSE/ES256

Replaced the custom JSON manifest format with spec-compliant C2PA 2.3 binary signing:

• CBOR_Encoder — minimal deterministic CBOR (CTAP2 canonical) for COSE structures
• JUMBF_Writer — ISO 19566-5 box serialization for C2PA manifest stores
• COSE_Sign1_Builder — RFC 9052 COSE_Sign1 envelope with ES256 signatures
• Claim_Builder — C2PA 2.3 claim + assertion structure generator
• Switched from RSA-2048 to EC P-256 with self-signed X.509 certificates
• Binary JUMBF manifests are base64-encoded for safe WordPress meta storage
• Legacy JSON verification preserved for backwards compatibility

feat: add C2PA ingredient chains and fix sidebar JS naming

• Ingredient chains — edited content now includes a c2pa.ingredient.v2 assertion referencing the prior manifest by SHA-256 hash, forming a verifiable provenance chain per C2PA 2.3 §8.3
• Sidebar JS fix — window.ContentProvenanceData → window.aiContentProvenanceData to match what Asset_Loader::localize_script actually produces (the sidebar panel was fully built but silently broken)

Test results

• 159 tests, 353 assertions, 0 failures
• PHPCS clean
• PHPStan level 8 clean

Signing tiers status

All three tiers now produce spec-compliant JUMBF/COSE_Sign1 output:

Tier	Crypto	Output	Status
Local	EC P-256 + self-signed X.509	JUMBF manifest store	✅
Connected	Encypher API (api.encypher.com)	JUMBF via base64 response	✅
BYOK	Publisher-supplied key + CA cert	JUMBF manifest store	✅

This PR is ready for review. @jeffpaul @Jameswlepage — would appreciate your eyes on this when you have a chance. Happy to walk through any part of the C2PA pipeline.

[dkotter]

There's a lot here so I'm sure I missed some things but have given this an initial review. Might have been better to break this down into multiple PRs (maybe one PR for each signing tier) to make it easier to review and test.

Because of the size, I did run things through Codex to give me an overview of how everything works. I don't know much about C2PA so this may not be accurate / matter but it did flag the following:

Verification does NOT check the COSE_Sign1 signature — only the content hash

The verify ability reports verified: true if the SHA-256 hash of the stripped text appears anywhere in the JUMBF bytes. It never validates the ECDSA signature, certificate chain, or even parses the CBOR structure. This means:
- An attacker can construct a fake JUMBF blob containing the hash without a valid signature
- strpos() on binary data can produce false positives
- The green "verified" badge is misleading — it only confirms content wasn't altered, not that it was signed by the claimed publisher

Recommendation: Either implement proper COSE_Sign1 signature verification (parse CBOR, reconstruct Sig_structure1, verify ECDSA against certificate) or clearly label verification as "hash integrity check only — not full C2PA verification." The current verified: true response is a false sense of security.

And also:

This is a custom C2PA approximation, not a full implementation

What's implemented:
- JUMBF container construction
- COSE_Sign1 structure with ES256 signing
- CBOR encoding
- C2PA §A.7 Unicode variation selector embedding
- Content hash assertion

What's missing:
- Signature verification (critical)
- CBOR decoding/parsing
- Manifest path resolution
- Ingredient chain traversal
- Trust list validation
- Hard binding support

The PR description references C2PA 2.3 spec compliance, but the implementation produces spec-formatted manifests without being able to fully verify them. This should be clearly documented.

[dkotter]

I'd suggest just removing all of this as we don't document this for any other experiment

[erik-sv]

This file doesn't exist in our branch, nothing to remove.

[dkotter]

I think having documentation for this experiment is correct, should ideally follow our documentation for other experiments though. Curious for the reasoning around removing this entirely?

[dkotter]

Suggested change

	1. Go to **Settings → AI Experiments**
	1. Go to **Settings → AI**

[erik-sv]

Same, file doesn't exist in our branch.

[lnispel]

Thanks for the clarification on cert scoping, @erik-sv. That's helpful context and good to know the trust model works that way across the industry.

A few thoughts on the broader approach:
On the circular problem argument, does WordPress need to be the production implementation the text conformance test suite validates against? C2PA has reference tooling (c2patool), and as co-chair of the text task force you'd have access to standalone implementations that could serve the same purpose. Coupling the conformance program's development timeline to a WordPress plugin shipping in production feels like it places a significant obligation on the WordPress AI team that may not be necessary. Once the text conformance is ready, I am sure they'd be willing to spend time on shipping this with you as they are now.

On scope more generally, between #294 and #302, we're looking at ~16,000 lines introducing a full tier system, external API integration, CDN workers, JUMBF/CBOR/COSE implementations, Unicode embedding, REST endpoints, verification badges, and a .well-known handler.

That's a lot of surface area for the team to review and maintain as an "experiment." Would it make sense to start with local signing only? No tiers, no connected service, no BYOK, and let the community discuss what external signing integration should look like before that architecture is committed?

And building on your point that certs aren't media-type-scoped: if WordPress.org went through image conformance (where the test suite exists today), it would receive a trusted cert that could also sign text content. That seems like a path to Jeff's goal of WordPress providing trusted signing independently, without needing a third-party bridge in the interim. Would it be more valuable to help WordPress get there rather than building the connected tier as the default path to trust?

[erik-sv]

@lnispel Appreciate the thoughtful follow-up. Let me take these in order.

On WordPress as a test bed: that is not the argument. Encypher has its own implementation, which this plugin is based on, and reference tooling exists as you note. The argument is ecosystem value. A production deployment at WordPress scale gives the text provenance ecosystem something a reference tool cannot: real-world editorial workflows, diverse hosting environments, and community feedback on how text provenance behaves in the wild. We are contributing this to the open-source community because that ecosystem signal benefits everyone working on text provenance, including the conformance program.

On scope: the Local, Connected, and BYOK tiers are already built, tested (228 tests, 547 assertions), and reviewed by @dkotter. Local is the default. Connected and BYOK are entirely optional, toggled by a single settings dropdown that defaults to off. Stripping them out means removing working, reviewed code so the community can discuss it hypothetically rather than evaluate it directly. The experiment framework exists precisely to let users enable capabilities and provide feedback. Shipping all three tiers lets the community assess the full architecture rather than debating a design document.

On WordPress going through image conformance independently: that path is available and the Connected tier does not prevent it. But it is worth understanding what each path provides, because they serve different levels of the trust hierarchy.

WordPress obtaining its own trusted certificate gives you tool-level signing. Every manifest on every site would read "signed by WordPress," the same way a photo from Photoshop reads "signed by Adobe." That is valuable for asserting platform-level provenance.

A hosted signing service can provide publisher-level signing through S/MIME sub-certificate issuance. Instead of "signed by WordPress," the manifest reads "published by The Washington Post" or "published by jane@publisher.com." For news organizations and enterprise publishers, organizational identity is the point, not tool identity. WordPress.org cannot issue sub-certificates for arbitrary publishers under its own conformance cert. That requires a signing service with CA delegation authority.

Hosted signers also enable deeper manifest customization: editorial policy assertions, rights metadata, provenance chains linked to external CMS workflows. These capabilities evolve independently of the WordPress release cycle, which matters for publishers with compliance requirements that move faster than plugin updates.

These are not competing paths. Tool-level signing ("this came from WordPress") and publisher-level signing ("this came from The New York Times, via WordPress") coexist. The tier architecture makes both possible. Removing it now means rebuilding it later once the community arrives at the same requirements.

[lnispel]

@erik-sv Following up on the ecosystem value and tier architecture points. I appreciate the thorough responses throughout this thread. I want to close my end of this with some context I think is worth the team considering.

The cost of writing code is trivial. The cost of reviewing, understanding, and maintaining it is not. 228 tests tell you the code does what the author intended. They don't tell you it's the right architecture for WordPress, and they don't reduce the cost of the team needing to fully understand and own every line after it merges. If this was more collaborative in its development, more of the team would be brought along with the decisions inside which would make it more valuable to the ecosystem and the maintainers as a whole.

IPTC has already shipped a WordPress C2PA plugin that solves for publisher-level signing without a hosted service. Publishers obtain their own certificates from a partner CA (Truepic or GlobalSign), IPTC verifies the publisher's identity through their Verified News Publishers List, and the plugin signs locally using the publisher's own private key. BBC, CBC/Radio Canada, WDR, and FranceTV are already signing content this way. So the market to solve their problems with the S/MIME certs is partially already covered so they do not seem to be the target audience here.

The publishers sophisticated enough to want "published by The Washington Post" on their manifests are exactly the kind of organizations already in IPTC's network because IPTC is the global standards body for news media. Those publishers have a direct path to their own certificates today. They don't need a WordPress plugin to broker that relationship. And the smaller site owners Jeff described don't need publisher-level identity at all yet. They need WordPress.org to sign on their behalf, which is what local signing with a conformance certificate achieves.

S/MIME sub-certificate issuance may become an option in the future, but it isn't a prerequisite for publisher-level signing. The BYOK tier in this very PR already provides that by letting publishers sign with their own certificate, which is the same model IPTC uses in production today. The Connected tier is being positioned as the path to publisher identity, but that's already achievable within the proposed architecture itself.

As far as the size of this contribution goes, @dkotter noted in his first review that there's a lot here and he's sure he missed some things, which is completely understandable at this scale. That's the natural consequence of reviewing this volume at once. Smaller contributions would make thorough review achievable.

If the existing code is already written and tested, breaking it into smaller progressive contributions should be straightforward and significantly easier for the team to review, understand, and maintain. IPTC's plugin and their "Start signing your news content using C2PA in 5 steps" guide could serve as practical references for the path forward. The PR has already pushed the conversation forward just by existing as a reference. It doesn't need to merge in its entirety to have done its job.

Good luck with this work!

[erik-sv]

@lnispel A few corrections on the IPTC comparison, since it introduces new claims the team should evaluate accurately.

IPTC's WordPress plugin signs images, not text. It wraps c2patool, a Rust binary that must be compiled or installed on the server. That is a fundamentally different architecture from this PR, which implements C2PA signing in pure PHP with zero external dependencies. The two plugins solve different problems for different media types with different deployment constraints.

The publishers in IPTC's network, BBC, CBC/Radio-Canada, WDR, FranceTV, are enterprise news organizations with dedicated IT teams who can manage certificate procurement and binary installation. That is not the user population @jeffpaul described. Jeff's question on March 17 was how to provide signing for the broad WordPress ecosystem, and his response to the BYOK-only model was direct: "Option 2 is almost certainly a non-starter for the majority (or at least statistically significant) of WordPress installs." The Connected tier exists to address that gap, not to replace BYOK, which remains available for publishers who want organizational identity.

On scope: @dkotter has reviewed this PR in detail and provided 21 items of feedback, all addressed. The code is ready for the maintainers to evaluate as a complete architecture. Breaking a reviewed, tested, and cohesive system into sequential PRs does not reduce complexity. It distributes the same review surface across multiple threads while removing the ability to evaluate the tiers as a unified design.

This PR does need to merge to have done its job. An experiment that exists only as a reference is not an experiment. The WordPress AI experiment framework is designed for code that ships, collects feedback, and iterates. I will defer to @jeffpaul, @Jameswlepage, and @dkotter on how they want to proceed.

[jeffpaul]

1. For the settings, please align the dropdowns & checkboxes with the experiment title & description, plus remove the bold font treatment for the dropdown & checkbox labels

2. I think, but curious for @dkotter @Jameswlepage @JasonTheAdams input here, that the Connected and BYOK signing tiers might perhaps be good cases for a Connector for those and then those dropdown options could select from enabled, related connectors?

3. In the Content Provenance sidebar panel, some UI tweaks would be helpful:
   a. "Not Signed"/etc ideally middle aligned with the badge icon
   b. "Signed with local key." feels off with "Not Signed" state, perhaps the copy for that state should be "When signed, will use a local key."?

4. I'm testing using WordPress 7.0-RC2, this PR branch, and the Twenty Twenty-Five theme (aka TT5) and am not able to see the badge on the frontend (above, below, or in-line). We should ensure we're testing with at least TT5 and ensuring badges render as expected there; any additional we test with and verify from the Popular listing from WPORG would be great.

[dkotter]

1. For the settings, please align the dropdowns & checkboxes with the experiment title & description, plus remove the bold font treatment for the dropdown & checkbox labels

Note that with #340 and #376 now merged, this settings page is rendered differently and as such, how these individual settings are set/rendered will need to change (apologies for the extra work there). #376 should provide an example of how this is now handled within the Content Classification experiment

2. I think, but curious for @dkotter @Jameswlepage @JasonTheAdams input here, that the Connected and BYOK signing tiers might perhaps be good cases for a Connector for those and then those dropdown options could select from enabled, related connectors?

I don't think the BYOK will necessarily work there but potential for the Connected option to live there, though I think the ideal is to have that support multiple signing services not just Encypher (which is a separate question we probably need to discuss) and that may complicate making this a Connector.

3. In the Content Provenance sidebar panel, some UI tweaks would be helpful:
   a. "Not Signed"/etc ideally middle aligned with the badge icon
   b. "Signed with local key." feels off with "Not Signed" state, perhaps the copy for that state should be "When signed, will use a local key."?

Also just need more spacing here, everything just runs together.

And just my opinion but not sure we need that "Signed with local key" warning? Just seems like an attempt to get people to switch to the Connected approach and probably causes more confusion than anything. I'd recommend either removing that or putting that as a tooltip under an icon, like the warning icon.

4. I'm testing using WordPress 7.0-RC2, this PR branch, and the Twenty Twenty-Five theme (aka TT5) and am not able to see the badge on the frontend (above, below, or in-line). We should ensure we're testing with at least TT5 and ensuring badges render as expected there; any additional we test with and verify from the Popular listing from WPORG would be great.

Was going to flag this as well. In my testing I don't ever see anything output on the front-end.

One other bug I noticed, if I have content that was published prior to activating this experiment, if I open that item in the editor but I don't save anything (say I just refresh), it seems the content automatically is signed, even though we claim that only happens on publish and updates.

[dkotter]

The cost of writing code is trivial. The cost of reviewing, understanding, and maintaining it is not. 228 tests tell you the code does what the author intended. They don't tell you it's the right architecture for WordPress, and they don't reduce the cost of the team needing to fully understand and own every line after it merges. If this was more collaborative in its development, more of the team would be brought along with the decisions inside which would make it more valuable to the ecosystem and the maintainers as a whole.

As far as the size of this contribution goes, @dkotter noted in his first review that there's a lot here and he's sure he missed some things, which is completely understandable at this scale. That's the natural consequence of reviewing this volume at once. Smaller contributions would make thorough review achievable.

If the existing code is already written and tested, breaking it into smaller progressive contributions should be straightforward and significantly easier for the team to review, understand, and maintain.

I do agree with most everything noted in these comments. I would love to see multiple, smaller PRs that make this much easier to review and test and feel confident about merging things in. Wondering if there's a way to easily do this? I don't want to cause undue effort at this point but it is more likely that this will get merged in if we can break it down into smaller pieces, maybe a PR for just local signing and other PRs for connected and BYOK signing?

[jeffpaul]

I'm thinking we may want to generalize the UI for the Connected signing tier as well as any code or code comments related to this so we're not explicitly calling out Encypher and can allow any similar CA-verified certificate provider to be clearly applicable (versus it appearing that perhaps this is only for Encypher).

• Update dropdown to Connected - CA-verified provider
• Update description to "Connected signing users a CA-verified certificate from a signing service. Manifests are trusted by standard C2PA verifiers like Content Credentials."
• Update Service URL placeholder to https://api.example.com/api/v1/sign
• Update Service URL description to "Pre-configured example, update to actual signing service."
• Remove API Key description (unless we want to maintain a listing of known providers and can link to that in place of a singular link reference for Encypher)

[erik-sv]

Pushed changes addressing review feedback. Summary:

Settings page migration (#340/#376 compatibility)

• Removed render_settings_fields() (~250 lines of PHP/HTML/JS)
• Implemented get_settings_fields() returning 8 declarative field definitions for the DataForm architecture
• All settings registered with show_in_rest and proper schemas for the REST API

Sidebar UX

• Replaced static "Signed with local key" notice with dynamic, tier-aware copy: "Will be signed with [local key / CA-verified provider / publisher certificate]." Only shown for unsigned content.
• Fixed badge/label alignment and section spacing

Provider generalization (per @jeffpaul's comment)

• Dropdown: "Connected - CA-verified provider"
• Service URL description: "Signing endpoint for your CA-verified provider. Pre-configured with a default; update to match your provider."
• API key description: "API key from your CA-verified signing provider. Known compatible providers: Encypher."
• Added KNOWN_PROVIDERS constant in Connected_Signer as a maintainable registry of compatible providers
• Generalized all docblocks and code comments

Auto-sign bug fix (per @dkotter's comment)

• Content published before the experiment was enabled would auto-sign on editor load without saving. Added a content hash guard: posts already marked signed skip re-signing unless post_content has changed.

Frontend badge

• Fixed show_badge option defaulting to false when not yet in the database (fresh installs)
• Wired up Verification_Badge CSS enqueue for frontend rendering

API key security

• API keys are masked in REST responses (****abcd) so the DataForm settings page never exposes the raw key to the browser

191/192 tests pass (1 pre-existing failure in test_enqueue_assets_runs_on_post_screen, unrelated to this PR).

On smaller PRs: We strongly recommend against breaking this into smaller PRs. The experiment is a single feature with tightly coupled components. Splitting by signing tier would require splitting the UI, the settings registration, the REST endpoints, and the test suite, all of which depend on the shared pipeline. To illustrate the composition:

Category	Lines	% of PR	Notes
Tests	~3,337	42%	192 tests across all components
C2PA protocol layer	~1,812	23%	CBOR, COSE, JUMBF, Claim Builder
Backend (settings, REST, badge, pipeline)	~1,542	19%	Shared across all tiers
Signing method implementations	~795	10%	Local, Connected, BYOK strategy classes
UI (sidebar panel, SCSS, webpack)	~479	6%	Single sidebar panel for all tiers

The signing methods that would be candidates for splitting represent 10% of the code. The other 90%, the test suite, protocol layer, backend pipeline, and UI, cannot function without at least one signing method present and would need to be duplicated or stubbed across separate PRs. A split would increase review burden rather than reduce it.

[dkotter]

Noting I've not had a chance to review and test the latest round of changes but in testing other things within the AI plugin after I had tested this PR, ran into a fairly major issue we'll need to solve here.

When a piece of content is signed, we add some invisible unicode characters to the bottom of the content. This content is then stored in the normal post_content database field. The issue here is if another plugin needs to use this content for something, these unicode characters come along for the ride, so to speak.

The issue I ran into is in testing other AI features within this plugin after I had tested this PR, the amount of tokens I was using for each AI request sky rocketed, going from ~800 input tokens to ~90,000 input tokens, all because of these invisible unicode characters.

I imagine other plugins (both those doing things with AI and those that don't) that need to use the content of a post will also run into issues with these unicode characters automatically being applied to the content.

It seems like we need some way to separate out these characters from the actual content we store in the database. One suggestion would be to store those as a separate meta field and then add those into the content when needed (for things like checking provenance). This way any other plugin that grabs the content field won't be getting those characters as well.

That is just one suggestion though and there's likely other ways to solve this but we need to figure that out before we can move forward with this.

[jeffpaul]

@Jameswlepage @JasonTheAdams tagging you two for review / testing / validation here as it sounds like there was a call that preceded this PR being open that y'all were on and thus @dkotter + I are likely lacking context. I also know there's some other conversations to be had about how to get WPORG set up as a signing entity. Given we're targeting a 0.8.0 release this week, I've moved this PR to the 1.0.0 milestone in case that timing lines up when y'all are able to coordinate and have things ready here. Also worth noting I'm very excited about this work, and have been for years, so please let me know how I can help support y'all here.

[erik-sv]

@dkotter Good catch on the post_content token increase. Yes, any C2PA signing of the post content that gets embedded into the post would increase how many tokens are used if the AI system doesn't ignore the embedding.

I went with a variation of your meta-field suggestion. The signed content, Unicode markers included, now lives entirely in _c2pa_embedded_content post meta. post_content stays clean. A priority-1 the_content filter injects the signed bytes at render time and removes wpautop so the byte stream stays intact. Paragraph formatting is preserved visually with white-space: pre-line on the wrapper div.

While I was in there, we also consolidated sign_on_publish and sign_on_update into a single sign_after_save callback on wp_after_insert_post. That hook fires once per save after all other hooks finish, which eliminates the double-signing race when both publish_post and post_updated fire for the same edit. A content hash guard skips re-signing when the text has not changed.

Verification works end-to-end now. The editor verify button sends post_id to the REST endpoint, which reads the canonical signed bytes from meta rather than relying on sanitized input. Would welcome your thoughts on the approach when you get a chance to look at the latest changes.

[erik-sv]

@jeffpaul Glad to have your energy behind this. The latest push addresses the post_content contamination issue @dkotter identified, which was the last architectural piece to sort out. Signed bytes now live in post meta, so other plugins reading post_content are unaffected.

Happy to coordinate with @Jameswlepage and @JasonTheAdams on review and testing. The WPORG signing entity question can run in parallel without blocking the code review, so those conversations can happen on their own timeline.

Let us know what you need from our side to keep things moving.