Sign C2PA manifests using Azure Trusted Signing.
Project description
c2pa-azure-py
Sign files with C2PA content credentials using the Azure Trusted Signing service.
The project ships in two forms from a single codebase:
- A Python library (
c2pa_azure) you can import in your own apps. - A standalone CLI (
c2pa-azure-sign) you can run from the shell or a container.
Installation
From source
git clone https://github.com/duggaraju/c2pa-azure-py.git
cd c2pa-azure-py
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install . # add -e for an editable/dev install
As a dependency in another project
pip install c2pa-azure # once published to PyPI
# or directly from a Git ref:
pip install git+https://github.com/duggaraju/c2pa-azure-py.git
Authentication
Sign in to Azure before running. Any credential supported by
DefaultAzureCredential
will work (Azure CLI, Managed Identity, environment variables, etc.).
az login
# In WSL or headless environments:
az login --use-device-code
CLI usage
c2pa-azure-sign \
-i path/to/input.jpg \
-o path/to/output.jpg \
-e https://<region>.codesigning.azure.net/ \
-a <trusted-signing-account> \
-c <certificate-profile>
Equivalent invocation without an entry-point script:
python -m c2pa_azure -i input.jpg -o output.jpg -e https://... -a acct -c profile
Optional flags:
| Flag | Description |
|---|---|
-m, --manifest |
Path to a manifest JSON file, or an inline manifest string. Defaults to the bundled manifest.json. |
-s, --settings |
Path to a C2PA settings TOML file. |
-f, --force |
Overwrite the output file if it already exists (default: on). |
Library usage
from azure.identity import DefaultAzureCredential
from c2pa_azure import AzureSigner, TrustedSigningSettings
credential = DefaultAzureCredential()
settings = TrustedSigningSettings(
certificate_profile="my-cert-profile",
service_account="my-trusted-signing-account",
endpoint="https://eus.codesigning.azure.net/",
# Optional: TOML-formatted C2PA settings string. None = library defaults.
c2pa_settings=None,
)
manifest = """
{
"claim_generator": "my_app/1.0.0",
"title": "My Signed Image",
"assertions": [
{ "label": "stds.schema-org.CreativeWork",
"data": { "@context": "https://schema.org", "@type": "CreativeWork",
"author": [{ "@type": "Person", "name": "Jane Doe" }] } }
]
}
"""
signer = AzureSigner(credential, settings, manifest)
signer.sign("input.jpg", "output.jpg")
Loading the bundled manifest
from importlib.resources import files
from c2pa_azure import AzureSigner, TrustedSigningSettings
manifest = files("c2pa_azure.data").joinpath("manifest.json").read_text()
Calling the low-level Trusted Signing client
from azure.identity import DefaultAzureCredential
from c2pa_azure import TrustedSigningClient, TrustedSigningSettings
settings = TrustedSigningSettings(
"profile", "account", "https://eus.codesigning.azure.net/"
)
client = TrustedSigningClient(DefaultAzureCredential(), settings)
cert_chain_p7b = client.get_certificate_chain()
signature = client.sign(b"<sha384 digest bytes>")
Invoking the CLI from Python
from c2pa_azure.cli import main
exit_code = main([
"-i", "input.jpg",
"-o", "output.jpg",
"-e", "https://eus.codesigning.azure.net/",
"-a", "my-account",
"-c", "my-cert-profile",
])
Docker
docker build -t c2pa-azure .
docker run --rm \
-v "$PWD:/data" \
-e AZURE_CLIENT_ID -e AZURE_TENANT_ID -e AZURE_CLIENT_SECRET \
c2pa-azure \
-i /data/input.jpg -o /data/output.jpg \
-e https://<region>.codesigning.azure.net/ \
-a <account> -c <certificate-profile>
Project layout
src/c2pa_azure/
├── __init__.py # public API: AzureSigner, TrustedSigningClient, TrustedSigningSettings
├── __main__.py # enables `python -m c2pa_azure`
├── cli.py # argparse entry point (c2pa-azure-sign)
├── signer.py # AzureSigner
├── trusted_signing.py # TrustedSigningClient + TrustedSigningSettings
└── data/ # bundled manifest.json and settings.toml
Development
pip install -e ".[dev]"
pytest
python -m build # produces dist/*.whl and dist/*.tar.gz
License
This project is licensed under the MIT License. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
c2pa_azure-0.32.3.tar.gz
(11.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file c2pa_azure-0.32.3.tar.gz.
File metadata
- Download URL: c2pa_azure-0.32.3.tar.gz
- Upload date:
- Size: 11.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
382e150848b793a7fce031d4c690487ec9d3694ecfbc63a8c53f986e5014a9b4
|
|
| MD5 |
d6d91d074d5a6799df6e7aa9683f3cb9
|
|
| BLAKE2b-256 |
ea2545a720048ad2fcf2735eb33c8fffb963606a60bb80b7c9e6817eca6b80ae
|
File details
Details for the file c2pa_azure-0.32.3-py3-none-any.whl.
File metadata
- Download URL: c2pa_azure-0.32.3-py3-none-any.whl
- Upload date:
- Size: 14.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
15d1852bc10db9ecef67fa253b1b67f3d7c529d363791554c3541b666fe58266
|
|
| MD5 |
99eb13df6f251870a2e96d48ed51d22c
|
|
| BLAKE2b-256 |
6c6d0600d16b2e60f2e3ce3dcbea76603009dbb634f8caa4904ed146d220b253
|
