AWS for M&E Blog

CBC/Radio-Canada documents video authenticity with Content Credentials on AWS

The CBC/Radio-Canada is Canada’s national public broadcaster, providing a range of programming through its websites, streaming services, podcasts, television and radio. With the rising danger of AI-created deepfakes and the erosion of trust in media, CBC/Radio-Canada needed a way to demonstrate the authenticity of its videos to maintain the confidence of the Canadian public.

The Content Credentials specification, published by the Coalition for Content Provenance and Authenticity (C2PA), is rapidly emerging as an important tool to document the authenticity of digital assets. The specification provides a method to associate provenance metadata with videos, images, audio files, and other digital assets. Content Credentials does this by creating a signed manifest that is bound to a specific version of an asset through a digital hash.

The hash value is generated by a mathematical algorithm that uniquely represents the input data and ensures that it has not been altered. All of the provenance metadata (creation date, title, description, and so on) can be included in the manifest and hashed to prevent the information from being altered. Even if a single bit is changed in the data, the computed hash will be different. Figure 1 provides a high-level depiction of a C2PA manifest, showing the metadata assertions, hash values stored in a claim, and the digital signature.

Diagram showing the structure of a C2PA manifest, with color-coded sections including a green manifest container, yellow claim signature box, pink claim box, and blue assertions box.

Figure 1: Structure of a C2PA manifest.

As a C2PA member and a proponent of Content Credentials, CBC/Radio-Canada wanted a process to add C2PA manifests to its videos. For help, CBC/Radio-Canada turned to the Amazon Web Services (AWS) Prototyping team, whose mission is to catalyze innovation by working closely with customers and partners to apply emerging technology to pressing business challenges. They bring together key ingredients for innovation: a focus on solving real-world challenges, a bias for speed, and competencies in emerging technology.

AWS has extensive experience developing Content Credenitials solutions. It joined the C2PA in 2024 and has published a Guidance for Media Provenance with C2PA on AWS containing an open-source solution for running Content Credentials workloads in the cloud. The AWS guidance solution produces a Content Credentials sidecar file to document each asset’s origin.

However, the guidance solution does not support fragmented MP4 (fMP4) video files. This is the format used by CBC/Radio-Canada, and the industry standard for video on demand (VOD) and live streaming.

Technical challenges handling fMP4

An fMP4 package consists of an initialization segment and multiple media fragments containing video data. Video players read the initialization segment and then load the fragments for playback. fMP4 provides a better user experience than downloading the entire file because each fragment is small and can be retrieved quickly—reducing latency.

Applying Content Credentials to fMP4 presents several challenges. The specification requires validators to calculate a hash value for each fragment and to compare it against a pre-calculated value stored in the manifest. The validator also needs to regenerate the signature stored in the manifest to make sure that nothing has been changed. All these validation checks occur during playback, so the process must be completed quickly to avoid delays that would degrade the user experience.

This new AWS Content Credentials solution performs validation using an open-source toolkit provided by the Content Authenticity Initiative (CAI), a nonprofit organization that provides tools to support Content Credentials implementations.

AWS solution overview

The AWS solution, developed for CBC/Radio-Canada, is a significant upgrade to the version described in a previous blog. The updated solution provides an AWS Amplify frontend for users to upload digital assets, view Content Credentials metadata and relationships, and manage Content Credentials workloads. The frontend also includes a dynamic adaptive streaming over HTTP (DASH) video player so users can view and validate the integrity of fMP4 videos.

On the backend, the solution employs a dual compute strategy using AWS Lambda and AWS Fargate. Users may select which compute architecture to use based on their needs. Lambda is a serverless technology that is best for intermittent workloads because users are charged based on the number of requests for your functions and the duration it takes for your code to execute. AWS Fargate is a serverless compute engine for containers that runs continuously for low-latency processing. Since users pay for Fargate even when it is not generating a manifest, it is best suited for larger, continuous workloads.

Architecture and deployment

Figure 2 depicts a high-level view of the solution architecture. Users authenticate to the AWS Ampify frontend using Amazon Cognito. Amazon Simple Storage Service (Amazon S3) buckets store all uploaded and processed assets. The Amplify frontend sends messages to an AWS Lambda function, which serves as middleware that has permission to invoke backend processing. If the user wants to use Lambda to process assets, the middleware triggers an AWS Lambda function URL that is not accessible to the frontend. If the user wishes to use Fargate for processing, the middleware sends messages to an internal Application Load Balancer (ALB) that connects to the Fargate task.

Solution architecture. AWS Cloud group contain solution resources: AWS Key Management Service, Amazon Cognito AWS Amplify, Amazon S3 (Media, init and segment files), Amazon Elastic Container Registry, Amazon Elastic Container Service, AWS Secrets Manager. An Amazon VPC contains the following resources: AWS Lambda (UI Middleware), AWS Lambda (C2PA Lambda), Application Load Balancer, Amazon S3 (Signed media), AWS Fargate. Arrows connect the following: Amazon Cognito to AWS Amplify; AWS Amplify to AWS AppSync; AWS Amplify to Amazon S3 (Media, init and segment files); AWS AppSync to AWS Lambda (UI Middleware); Amazon Elastic Container Registry to Amazon Elastic Container Service; AWS Lambda (UI Middleware) to AWS Lambda (C2PA lambda); AWS Lambda (UI Middleware) to Application Load Balancer; Aws Lambda (C2PA Lambda) to Amazon S3 (Signed Media); Application Load Balancer to AWS Fargate; AWS Fargate to Amazon S3 (Signed Media); Amazon Elastic Container Service to AWS Fargate); AWS Secrets Manager to AWS Lambda (C2PA Lambda); AWS Secrets Manager to AWS Fargate.

Figure 2: Solution architecture.

An open-source repository contains all the solution code, documentation, and deployment scripts. Be sure to check the prerequisites noted in the documentation.

In particular, you must install the:

Once you have performed all deployment steps, you can launch a local version of the solution frontend. You must manually add a username and password to the Amazon Cognito user pool in order to login. You must also update your local .env config file, so the solution can connect to the resources created during deployment.

The command to launch the Amplify frontend is: pnpm dev

The command will start a local web server and return the application URL.

Note: The solution is not intended for production use. It is a prototype that supports common use cases so you can experiment with the Content Credentials specification and jumpstart your development of a production system.

We will walk through the following use cases:

  1. Adding Content Credentials metadata to an image
  2. Viewing existing Content Credentials metadata in an asset
  3. Adding Content Credentials metadata to fMP4 videos

Use case 1: Adding Content Credentials metadata to an image

The Content Credentials specification provides users the ability to store any type of metadata inside a manifest. A common need is to record how an image has been edited after it was initially captured by a camera. To demonstrate this use case, login to the solution and click Upload Asset in the left sidebar (see Figure 3).

C2PA Media Manager upload interface showing a file drop zone with 'Browse files' button and a description stating 'Upload your media assets with or without c2pa metadata attached'. There is a menu along the left side of the main Media Asset Upload area. It is accordion style with the Media Manager menu option expanded. Media Manager includes navigation options for Library, Upload Asset, and Edit Asset.

Figure 3: Uploading an image.

Select an image on your system, upload it, and then click Edit Asset in the lefthand sidebar. A dropdown menu will list all the assets you have uploaded. Select the image you want to revise and then click the Next button (see Figure 4).

C2PA Media Manager edit interface showing the "Step 1 of 4: Choose asset to edit" area. The screen displays a dropdown menu with 'c2pa-manifest.png' selected and a blue 'Next' button. The menu to the left-hand side show Edit Asset was selected.

Figure 4: Editing an image.

The application will display a set of editing tools to revise the image (see Figure 5). Once you’ve made changes, click Next to see a JSON representation of how the edits will be recorded in the manifest.

Image editing interface showing slider controls for Brightness, Contrast, Saturation, Grayscale, Rotate, and Zoom adjustments, with Reset buttons and Previous/Next navigation options.

Figure 5: Editing an image.

JSON code snippet showing C2PA orientation action configuration with parameters including 'actionType' 'ImageRotation' and 'actionValue' of 91 degrees.

Figure 6: JSON representation of editing actions that will be recorded in the manifest.

Based on the Content Credentials specification, edits are recorded as action assertions (see Figure 6). If the changes look correct, click Next. The system will create a new version of the image with a signed manifest and add it to the asset library.

Note that the Content Credentials specification allows you to record any metadata in a manifest file such as descriptions, keywords, copyright, and so on. The solution only supports recording edit actions, but you can extend this logic to meet your specific use case. The underlying API used by the solution will accept any metadata you supply.

Use case 2: Viewing Content Credentials metadata

To check an asset for Content Credentials metadata, login to the solution and navigate to the Library under the Media Manager (see Figure 7).

Coalition for Content Provenance and Authenticity (C2PA) Guidance platform interface showing Media Manager library view with two JPG files listed with their sizes and modification dates.

Figure 7: Media Manager Library.

Click an asset link and the application will display the asset detail. At this time, the solution will check whether the asset contains a manifest and run validation tests (Figure 8).

Asset inspection view showing file details for an image of seven different multi-colored corrugated ribbons, including filename, type, size and last modified date, with validation status and manifest store option.

Figure 8: Asset detail view. The “No Validation Errors” message confirms the manifest is valid.

Click the Manifests tab to see a JSON representation of the manifest embedded in the asset (Figure 9).

JSON manifest data display showing technical details of a C2PA asset including label, title, format, signature information, and ingredients.

Figure 9: JSON view of the manifest.

Click the Interactive Map tab. In this view, a tree showing how the current asset is related to earlier versions that served as ingredients is viewable (Figure 10).

Interactive node map visualization showing relationships between multiple image assets of the multi-colored corrugated ribbons, displayed in a flowchart-style layout with thumbnail previews.

Figure 10: Interactive Map view showing how this asset was derived from other assets.

To read and validate manifests, the solution relies on a Javascript framework that runs completely within the browser. The CAI developed the framework as an open-source project you can incorporate into your own applications.

The CAI also maintains a separate website to validate Content Credentials metadata. You can access the CAI validation site by clicking View in Verify Tool. The solution will provide the Verify Tool with a signed Amazon S3 URL so that it can access and validate the asset you created. By default, the Amazon S3 URL will expire in 15 minutes.

Use Case 3: Adding Content Credentials metadata to fMP4 videos

The fMP4 section of the Amplify frontend supports managing, uploading, editing, and signing fMP4 files. Use a service such as AWS Elemental MediaConvert or a third-party tool like ffmpeg to transcode your video into fMP4. An adaptive bitrate streaming format like DASH is recommended because the solution includes built-in support for a DASH player. This enables adaptive playback across different devices and network conditions. When using DASH, the output consists of an initialization segment (.mp4), multiple media segments (.m4s), and a manifest file (.mpd) containing metadata and segment information.

Create a JSON file that will contain additional metadata you want to place inside the manifest. This JSON will need to conform to the format used by the CAI c2patool. For details on the format of this file, refer to the CAI documentation. An example providing keywords and a creation date is shown in the following code snippet.

{
   "assertions":[
      {
         "label": "c2pa.metadata",
         "data": {
            "@context": {
               "xmp": "http://ns.adobe.com/xap/1.0/",
               "pdf": "http://ns.adobe.com/pdf/1.3/"
            },
            "xmp:CreateDate": "2025-06-03",
            "pdf:Keywords": "foo,bar"
         }
      }
   ]
}

Once you have created the files, launch the solution and select Upload fMP4 Asset. The solution will ask you to specify a folder name, which it will use to hold assets in Amazon S3 (see Figure 11).

Screenshot of the fMP4 Asset Upload interface in the C2PA Guidance system. Shows a text input field labeled 'TEST' and a 'Save Folder Name' button. The interface includes navigation options for Overview, Media Manager, Simulations, and Fragmented MP4.

Figure 11: Create folder to hold fMP4 assets.

Click Save Folder Name. You can now upload all the fMP4 files and the JSON file containing the manifest metadata (Figure 12).

Screenshot of an fMP4 file upload interface with a drag-and-drop area. The interface displays 'Drop files here or Browse files' in a dashed border box, with upload options and navigation menu visible.

Figure 12: Upload fMP4 files.

After upload, click Sign fMP4 in the lefthand sidebar. You can now reselect the folder where you placed all the assets. As shown in Figure 13, you will then name identifiers:

  • New folder name for the output containing Content Credentials metadata
  • Name of the initialization segment file
  • Pattern that matches the fragment files
  • Name of the JSON file with C2PA manifest metadata
Screenshot of a two-step configuration interface for fMP4 asset management. Step 1 shows folder selection, and Step 2 includes fields for New Title, Init File, Fragments Pattern, Manifest File, and Compute options with Lambda and Fargate platforms.

Figure 13: Identify fMP4 assets for processing.

You can specify whether processing should be done using AWS Lambda or AWS Fargate. As mentioned previously, Lambda is more suitable for intermittent workloads, while Fargate is better for continuous workloads. You should experiment to determine which compute resource works best for your needs.

Click Submit, the solution will create, sign, and embed a C2PA manifest into a new fMP4 video package. To find the final video, click the Library option under the Fragmented MP4 area of the sidebar. When you click one of the links, the web application will display the video in a DASH video player. The player has been customized to perform Content Credentials validation of segments during playback (Figure 14).

Dash Player interface showing a scenic view of a coastal Italian town with buildings along the waterfront, mountains in the background, and boats in the harbor. The player includes standard video controls at the bottom.

Figure 14: DASH video playback.

If the player detects a manifest, it will display a Cr icon in the lower lefthand corner of the user interface. Click the icon to view an overlay that lists the Content Credentials metadata and validation status (Figure 15).

Video player showing content credentials overlay on a coastal town scene. The credentials panel displays information including issue date, app or devise used, location coordinates, and validation status, with standard video playback controls at the bottom.

Figure 15: Content Credentials overlay.

Common questions

When planning your own production system, you can experiment with the AWS solution to better understand how Content Credentials will affect your workloads.

Common questions include:

  • What is the latency when generating and validating manifests, especially for assets of different sizes and formats?
  • What metadata does your workload require and how will you collect and manage that information without unnecessary complexity or processing time?
  • Which vocabularies will you use to capture your provenance metadata?
  • How will you provision and manage the digital certificates needed to sign manifests? The AWS solution stores the certificate and private key in AWS Secrets Manager—will that be scalable in your production environment?
  • Can you embed C2PA manifests inside your assets, or does that make the files too large? Should you store manifests as sidecar files or limit the number of assertions or ingredients recorded?

Being able to answer all of these questions will help you understand how to implement a Content Credentials workload for production use.

Conclusion

The AWS Content Credentials solution gives CBC/Radio-Canada a quick way for it to apply provenance metadata to its fMP4 videos. This is a critical requirement for the public broadcaster. “At CBC/Radio-Canada, a cornerstone of our mandate is to accurately inform Canadians with trusted news and verified information,” says Sebastien Testeau, Media Technology Architect, CBC/Radio-Canada. “The C2PA specification and our work on this project will ultimately help audiences to verify the provenance and authenticity of the content they’re consuming.”

To learn how Content Credentials might help your organization, familiarize yourself with the C2PA specification and download the AWS solution to get firsthand experience running Content Credentials workloads in your own environment. If you need help driving innovation or adopting emerging technology, such as Content Credentials, contact an AWS Representative to discuss whether a prototyping engagement could help you innovate and migrate your workloads to the cloud.

Further reading

Demian Hess

Demian Hess

Demian Hess is a Sr Partner Solutions Architect at AWS, focusing on Digital Publishing. With over 18 years of experience in the publishing industry, Demian has written extensively on Digital Asset Management, Content Management, and flexible metadata schemes using NoSQL and Semantic Web technologies.

Carlos Rivera

Carlos Rivera

Carlos Rivera is a Senior Solutions Architect at AWS working with Canadian public sector organizations to design and implement secure cloud solutions, modernize their systems, and enhance services for citizens.

Rachita Chandra

Rachita Chandra

Rachita Chandra is a Prototyping Solutions Architect specializing in implementing generative AI and machine learning solutions for workloads on AWS. Her expertise spans across architecting scalable AI pipelines while ensuring enterprise-grade security and compliance.

Shane Madigan

Shane Madigan

Shane Madigan is a Senior Prototyping Manager at Amazon Web Services, where he leads groundbreaking initiatives in Generative AI solution development with global partners. With over 25 years of experience spanning pioneering technology deployments—from the first Amber Alerts system to cutting-edge AI applications—Shane has consistently driven innovation through strategic partnerships on behalf of start-ups and industry leaders alike.