# Install c2patool with Homebrew, Nix

CLI for working with C2PA manifests and media assets. Version 0.26.69 via Homebrew; verified 2026-07-08.

## Install

```sh
sudo av install brew:c2patool
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install c2patool
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#c2patool
```

  Evidence: nixpkgs package indexes: pkgs/by-name/c2/c2patool/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:c2patool
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/c2patool>
- **Version:** 0.26.69
- **Source summary:** CLI for working with C2PA manifests and media assets
- **Homepage:** <https://contentauthenticity.org>
- **Repository:** <https://github.com/contentauth/c2pa-rs>
- **Upstream docs:** <https://github.com/contentauth/c2pa-rs/blob/main/cli/README.md>
- **License:** Apache-2.0 OR MIT
- **Source archive:** <https://github.com/contentauth/c2pa-rs/archive/refs/tags/c2patool-v0.26.69.tar.gz>
- **Last updated:** 2026-07-08T03:19:24Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- c2patool (cli)
- c2patool (alias)

## Dependencies

- openssl@4

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.26.69
- Package-manager updated: 2026-07-08
- Local data: ok
- Upstream repository: https://github.com/contentauth/c2pa-rs
- Upstream latest detected: c2patool-v0.26.69 (current)
## Project history and usage

c2patool is the command-line tool from the c2pa-rs project for reading, validating, creating, and embedding C2PA manifests in media assets. Its history is tied to the Content Authenticity Initiative and the Coalition for Content Provenance and Authenticity push to make media provenance machine-readable.

### Project history

C2PA was founded in February 2021 by Adobe, Arm, the BBC, Intel, Microsoft, and Truepic to develop technical standards for certifying the source and history of media content. The c2pa-rs repository began with an initial public release on 23 May 2022 and became the Rust SDK and CLI implementation used by the Content Authenticity Initiative open-source tooling.

The c2patool README describes a CLI that works with C2PA manifests and audio, image, or video assets. It can read summary JSON, read detailed manifest data, add manifests to assets, use sidecar or remote manifests, inspect certificate chains, configure trust, and work with signing commands.

### Adoption history

The tool is distributed through Homebrew for macOS, prebuilt GitHub release archives for macOS, Windows, and Linux, and source builds from the c2pa-rs repository. source_facts also records Nix packaging.

The broader adoption story is standards-driven: c2pa-rs implements part of the C2PA technical specification and CAWG identity assertion work, so the CLI serves developers, publishers, and tool builders testing Content Credentials workflows before or alongside application integration.

### How it is used

Common c2patool usage includes printing manifest JSON from an asset, saving manifest reports to an output directory, adding a manifest definition to a file, generating `.c2pa` sidecars, embedding remote manifest references, extracting signing certificates, and producing ingredient records for asset history.

The CLI supports a settings file, defaulting to `~/.config/c2pa/c2pa.toml` unless C2PATOOL_SETTINGS or `--settings` overrides it. Signing can be delegated to subprocess signers so private key material does not need to pass directly through the CLI in production.

### Why package nerds care

c2patool is package-nerd interesting because it turns a large media-authenticity standard into a composable Unix-style inspection and signing tool. That makes C2PA manifests testable in CI, build pipelines, image-processing scripts, and release workflows.

It also shows a modern package pattern: a Rust SDK repository shipping libraries, C FFI, documentation, examples, release archives, and a CLI, all around a fast-moving standard rather than a single old protocol.

### Timeline

- 2021-02: C2PA is founded by Adobe, Arm, BBC, Intel, Microsoft, and Truepic.
- 2022-05-23: c2pa-rs upstream Git history begins with an initial public release.
- 2026-04-29: c2patool changelog records init trust, trust sidecars, and atomic sidecar writes.
- 2026-05-27: c2patool 0.26.60 adds intent support and create/update signing behavior.
- 2026-06-09: c2patool 0.26.65 fixes a DLL hijacking vulnerability.
- 2026-06-19: c2patool 0.26.68 is published in the upstream changelog.

### Related projects

- c2pa-rs: the Rust SDK repository that contains c2patool.
- Content Authenticity Initiative: the open-source SDK and community context for C2PA tooling.
- C2PA technical specification: the standard implemented by the Rust SDK and CLI.
- c2patool-service-example: official example repository for using c2patool from a Node.js server application.

### Sources

- <https://c2pa.org/about/>
- <https://github.com/contentauth/c2pa-rs/blob/main/README.md>
- <https://github.com/contentauth/c2pa-rs/blob/main/cli/CHANGELOG.md>
- <https://github.com/contentauth/c2pa-rs/blob/main/cli/README.md>
- <https://github.com/contentauth/c2pa-rs/blob/main/cli/docs/usage.md>
- source_facts.package-manager


## Security Notes

No matching local secret-handling manifest was found for c2patool. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.config/c2pa/c2pa.toml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** c2patool
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - c2patool: normalized package name match | nixpkgs package indexes: pkgs/by-name/c2/c2patool/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Media and graphics packages](https://www.automicvault.com/pkg/media-graphics-tools/) - Matched media, image, audio, video, or graphics metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [openssl@4](https://www.automicvault.com/pkg/brew/openssl-4/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [mat2](https://www.automicvault.com/pkg/brew/mat2/) - Shares av.db curated category or tags: cli, metadata, security.
- [vexctl](https://www.automicvault.com/pkg/brew/vexctl/) - Shares av.db curated category or tags: cli, metadata, security.
- [mac-robber](https://www.automicvault.com/pkg/brew/mac-robber/) - Shares av.db curated category or tags: cli, metadata, security.
- [acme.sh](https://www.automicvault.com/pkg/brew/acme-sh/) - Shares av.db curated category or tags: cli, security.
- [aescrypt](https://www.automicvault.com/pkg/brew/aescrypt/) - Shares av.db curated category or tags: cli, security.
- [aespipe](https://www.automicvault.com/pkg/brew/aespipe/) - Shares av.db curated category or tags: cli, security.
- [afflib](https://www.automicvault.com/pkg/brew/afflib/) - Shares av.db curated category or tags: cli, security.
- [afl++](https://www.automicvault.com/pkg/brew/afl/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, openssl, openssl-4, security.
- [easy-rsa](https://www.automicvault.com/pkg/brew/easy-rsa/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, openssl, openssl-4, security.
- [encfs](https://www.automicvault.com/pkg/brew/encfs/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, openssl, openssl-4, security.

## Combined YAML source

View the package source record on GitHub. [combined/c2patool.yml](https://github.com/automic-vault/db/blob/main/combined/c2patool.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
