Automic VaultAutomic Vault

brew

Install c2patool with Homebrew, Nix

CLI for working with C2PA manifests and media assets. Version 0.26.69 via Homebrew; verified 2026-07-08.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install c2patool

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#c2patool

nixpkgs package indexes · pkgs/by-name/c2/c2patool/package.nix · source: api.github.com

overview

Package summary

CLI for working with C2PA manifests and media assets

Commands and aliases

  • c2patool

history

Project history and usage

c2patool is the command-line tool from the c2pa-rs project for reading, validating, creating, and embedding C2PA manifests in media assets. Its history is tied to the Content Authenticity Initiative and the Coalition for Content Provenance and Authenticity push to make media provenance machine-readable.

Project history

C2PA was founded in February 2021 by Adobe, Arm, the BBC, Intel, Microsoft, and Truepic to develop technical standards for certifying the source and history of media content. The c2pa-rs repository began with an initial public release on 23 May 2022 and became the Rust SDK and CLI implementation used by the Content Authenticity Initiative open-source tooling.

The c2patool README describes a CLI that works with C2PA manifests and audio, image, or video assets. It can read summary JSON, read detailed manifest data, add manifests to assets, use sidecar or remote manifests, inspect certificate chains, configure trust, and work with signing commands.

Adoption history

The tool is distributed through Homebrew for macOS, prebuilt GitHub release archives for macOS, Windows, and Linux, and source builds from the c2pa-rs repository. source_facts also records Nix packaging.

The broader adoption story is standards-driven: c2pa-rs implements part of the C2PA technical specification and CAWG identity assertion work, so the CLI serves developers, publishers, and tool builders testing Content Credentials workflows before or alongside application integration.

How it is used

Common c2patool usage includes printing manifest JSON from an asset, saving manifest reports to an output directory, adding a manifest definition to a file, generating `.c2pa` sidecars, embedding remote manifest references, extracting signing certificates, and producing ingredient records for asset history.

The CLI supports a settings file, defaulting to `~/.config/c2pa/c2pa.toml` unless C2PATOOL_SETTINGS or `--settings` overrides it. Signing can be delegated to subprocess signers so private key material does not need to pass directly through the CLI in production.

Why package nerds care

c2patool is package-nerd interesting because it turns a large media-authenticity standard into a composable Unix-style inspection and signing tool. That makes C2PA manifests testable in CI, build pipelines, image-processing scripts, and release workflows.

It also shows a modern package pattern: a Rust SDK repository shipping libraries, C FFI, documentation, examples, release archives, and a CLI, all around a fast-moving standard rather than a single old protocol.

Timeline

  • 2021-02: C2PA is founded by Adobe, Arm, BBC, Intel, Microsoft, and Truepic.
  • 2022-05-23: c2pa-rs upstream Git history begins with an initial public release.
  • 2026-04-29: c2patool changelog records init trust, trust sidecars, and atomic sidecar writes.
  • 2026-05-27: c2patool 0.26.60 adds intent support and create/update signing behavior.
  • 2026-06-09: c2patool 0.26.65 fixes a DLL hijacking vulnerability.
  • 2026-06-19: c2patool 0.26.68 is published in the upstream changelog.

Related projects

  • c2pa-rs: the Rust SDK repository that contains c2patool.
  • Content Authenticity Initiative: the open-source SDK and community context for C2PA tooling.
  • C2PA technical specification: the standard implemented by the Rust SDK and CLI.
  • c2patool-service-example: official example repository for using c2patool from a Node.js server application.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for c2patool. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 2 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.config/c2pa/c2pa.toml

executables

Installed executables

CommandKindExposureNote
c2patoolcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.26.69
manager updated2026-07-08
local dataok
upstreamcurrent
latest detectedc2patool-v0.26.69

https://github.com/contentauth/c2pa-rs

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:c2patool
Version0.26.69
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/c2patool
Homepagehttps://contentauthenticity.org
Repositoryhttps://github.com/contentauth/c2pa-rs
Upstream docshttps://github.com/contentauth/c2pa-rs/blob/main/cli/README.md
LicenseApache-2.0 OR MIT
Source archivehttps://github.com/contentauth/c2pa-rs/archive/refs/tags/c2patool-v0.26.69.tar.gz
Last updated2026-07-08T03:19:24Z
Pulseupdated
Dependenciesopenssl@4
Build dependenciespkgconf, rust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namec2patool
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

c2patool

nix profile install nixpkgs#c2patool
  • normalized package name match
  • Matched by: C2patool
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/c2/c2patool/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment