Questions people actually ask.

Does provcheck detect deepfakes?

No. C2PA is not a deepfake detector. It verifies cryptographic provenance on files that already claim to carry it — it does not analyse pixels or audio waveforms for synthetic artefacts.

If a file has no C2PA manifest, provcheck reports it as Unsigned. We make no inference about authenticity beyond what the manifest tells us. The point of the standard is to raise the floor on what can be asserted, not to reverse-engineer truth from content.

What about files without C2PA?

They are reported as Unsigned — clearly, in amber. Unsigned is not a failure. It simply means no claim was attached, so there is nothing to verify. That is very different from Not verified (red), which means a manifest was present but the signature did not validate.

Is my data private?

Yes. provcheck runs 100% locally. Files never leave your machine. There is no account, no upload, no telemetry, and no runtime network access. You can run it fully air-gapped.

This is the central reason provcheck exists — web verifiers require uploading your file to a server, which is unacceptable for sensitive journalism, client work under NDA, or any private media.

Can provcheck sign files?

No. provcheck is a verifier, not a signer. To sign your own content, use Adobe's c2patool, the signing workflow in your C2PA-capable camera, or the content-credentials hooks built into tools like Photoshop, Lightroom, and Premiere.

Which formats are supported?

Whatever the upstream c2pa-rs crate supports — currently WAV, MP3, JPEG, PNG, HEIC, AVIF, WebP, MP4, and MOV, with more added as the standard expands. provcheck inherits support automatically.

What does “honest about trust” mean?

provcheck reports the signer's identity as it appears in the certificate, without silently filtering or penalising signers whose certs came from per-install or non-public CAs. Trust-list policy — which signers you personally accept — is a separate concern from cryptographic integrity.

You can pass --trust-store to point the CLI at your own CA bundle. The GUI will surface the signer details; what to do with them is your call, not the tool's.

Does provcheck replace Adobe's tools?

No — it extends the ecosystem into a surface Adobe hasn't filled. Adobe's c2patool is a developer-oriented CLI for signing and inspecting. provcheck is a polished verifier for people who receive content, not people who produce it. Both projects sit on top of the same open-source c2pa-rs crate.

Is it free?

Yes. Apache-2.0 licensed. Free to use, modify, redistribute, audit, fork, or ship inside your own products. No tiers, no paid edition, no “pro” upsell. It is a utility, not a SaaS.

Who makes provcheck?

Creative Mayhem UG, a Berlin studio. We also make rAIdio.bot, Doomscroll.FM, and other local-first tools. provcheck is infrastructure we needed for our own signed outputs — we shipped it for everyone because the ecosystem was missing it.