This is a tool that lets you digitally sign your images to prove you created them. Think of it like putting an invisible, tamper-proof seal on your artwork that says "I made this."
When you sign an image with C2PA:
- β People can verify you created it (authenticity)
- β People can see when it was created (timestamp)
- β The signature breaks if someone modifies the image (integrity)
- β You can add information about how it was made (metadata)
This is especially useful for AI-generated art, photography, and any digital content where proving authorship matters.
New to all this? Don't worry! Start with these guides in order:
- π QUICK_START.md - Get it working in 5 minutes (step-by-step)
- π SETUP_GUIDE.md - Understand what you're doing (beginner-friendly)
- π‘ EXAMPLES.md - See real-world examples
You put an image into this node in ComfyUI, and it comes out with an invisible digital signature embedded in the file. Anyone can check this signature to verify you created it.
- β Signs images with C2PA certificates (industry standard for digital content)
- β Works directly in your ComfyUI workflows
- β Add custom information (who made it, what tools were used, etc.)
- β Includes test certificates so you can start immediately
- β Automatically saves signed images (no extra steps needed)
When you downloaded this custom node, you got everything you need to start testing:
Think of certificates like a digital ID card. The node comes with official test certificates from the c2patool project:
-
π Private Key:
keys/es256_private.key- This is like your password - keep it secret!
- Used to create the signature
- Never share this file
-
π Certificate:
keys/es256_certs.pem- This is like your public ID - it's safe to share
- Contains your "public key" that others use to verify your signature
- Gets embedded in signed images
Think of it like this:
- Private key = Your pen (only you can sign with it)
- Certificate = Your signature sample (others compare to verify it's really yours)
Someone can have your signature sample (certificate) and verify your autograph, but they can't forge your signature without your actual pen (private key).
This is a helper program that does the actual signing. Think of it like installing a printer driver before you can print.
For Windows (Easiest Way):
-
Download the tool:
- Go to: https://github.com/contentauth/c2pa-rs/releases
- Find the latest version
- Download the file that says "windows" in the name (like
c2patool-v0.23.4-x86_64-pc-windows-msvc.zip)
-
Extract it:
- Right-click the downloaded ZIP β Extract All
- Put it somewhere you'll remember (like
C:\Tools\c2patool)
-
Make it accessible:
- This part lets Windows find the tool from anywhere
- See the SETUP_GUIDE.md for detailed instructions
- Basically: Add the folder to your "PATH" (Windows settings)
-
Test it worked:
- Open Command Prompt (search for "cmd" in Windows)
- Type:
c2patool --version - If you see a version number, you're good! β
π Need more help? Check SETUP_GUIDE.md for step-by-step instructions with screenshots.
This custom node package includes two nodes:
- C2PA Image Signer - Signs images with C2PA manifests
- C2PA Verifier - Reads and displays C2PA manifests from signed images
In ComfyUI, your workflow looks like this:
[Load Image] β [C2PA Image Signer]
That's it! The C2PA Image Signer automatically saves the signed image for you.
Important: Don't add a "Save Image" node after the C2PA Signer. If you do, the signature will be stripped out because ComfyUI re-processes the image. The signer already saves the file for you.
The node needs these settings:
-
image (connect to it)
- This is your image from Load Image or any other node
-
private_key_path (type it in)
- The full path to your private key
- Example:
<ComfyUI_path>/custom_nodes/c2pa_signer/keys/es256_private.key β οΈ Use forward slashes/not backslashes\
-
cert_path (type it in)
- The full path to your certificate
- Example:
<ComfyUI_path>/custom_nodes/c2pa_signer/keys/es256_certs.pem β οΈ Use forward slashes/not backslashes\
-
filename_prefix (optional)
- What to name your signed images
- Default: "C2PA_signed"
- Result:
C2PA_signed_20251006_094628.png
-
manifest_json (optional, advanced)
- Extra information to embed in the signature
- Start with just
{}(empty) - See examples below for what you can add
After you run the workflow, check:
<ComfyUI_path>/output/
Look for files named like: C2PA_signed_20251006_094628.png
The signature is invisible - the image looks the same, but the file is slightly larger because it contains the signature data.
Good news! The C2PA Image Signer automatically handles multiple images. If you connect multiple images to it, it will sign each one individually.
When you sign multiple images at once:
- Each image gets signed separately with its own C2PA manifest
- Each signed image is saved as a separate file
- The console shows progress as each image is signed
Option 1: Using the Batch Images Node
This is the easiest way to sign multiple images:
[Load Image] βββ
βββ [Batch Images] β [C2PA Image Signer]
[Load Image] βββ
Steps:
- Add 2 or more
Load Imagenodes - Load different images in each one
- Add a
Batch Imagesnode - Connect all the Load Image nodes to the Batch Images node
- Connect Batch Images to your C2PA Image Signer
- Run the workflow!
Option 2: For More Than 2 Images
The standard Batch Images node in ComfyUI usually supports 2 images. To batch more:
[Load Image] βββ
βββ [Batch Images] βββ
[Load Image] βββ βββ [Batch Images] β [C2PA Image Signer]
β
[Load Image] ββββββββββββββββββββββββ
Connect the first Batch Images node to a second one, and add another image to the second node. This way you can combine 3+ images.
When signing multiple images, the console output shows progress:
For 3 images:
π C2PA Batch Signing: Processing 3 image(s)...
β
C2PA signing successful [1/3]
πΎ Saved: C:/Users/.../output/C2PA_signed_20251006_123456_batch000.png
β
C2PA signing successful [2/3]
πΎ Saved: C:/Users/.../output/C2PA_signed_20251006_123456_batch001.png
β
C2PA signing successful [3/3]
πΎ Saved: C:/Users/.../output/C2PA_signed_20251006_123456_batch002.png
π Batch signing complete! Signed 3 image(s)
Single image:
C2PA_signed_20251006_123456.png
Multiple images:
C2PA_signed_20251006_123456_batch000.pngC2PA_signed_20251006_123456_batch001.pngC2PA_signed_20251006_123456_batch002.png
The batch000, batch001, etc. helps you keep track of which signed file came from which input image.
Why batch signing is useful:
- Save time when signing lots of images
- All images get the same signature settings
- Perfect for signing a collection or series of images at once
What is this? You can include your entire ComfyUI workflow inside the signature. This means anyone who verifies the signed image can see exactly how you created it - which nodes you used, what settings you applied, everything!
Why would you want this?
- Full transparency - Prove exactly how the image was made
- Reproducibility - Others can recreate your work
- AI art attribution - Show which AI models and prompts you used
- Learning - Share your workflow with others
The C2PA Image Signer has two new optional fields for this:
- workflow_json - Paste your exported workflow here
- include_workflow_metadata - Set to "enable" to turn this feature on
Step 1: Export Your Workflow
- In ComfyUI, create your workflow as normal
- Click the gear icon (βοΈ) or settings menu
- Click "Save (API Format)" or "Export"
- This saves a JSON file with your complete workflow
Step 2: Copy the Workflow JSON
- Open the saved JSON file in Notepad or any text editor
- Select all the text (Ctrl+A)
- Copy it (Ctrl+C)
Step 3: Paste into C2PA Signer Node
- In your ComfyUI workflow, find the C2PA Image Signer node
- Find the workflow_json field (it's a big text box)
- Paste your copied workflow JSON (Ctrl+V)
- Set include_workflow_metadata dropdown to "enable"
- Run your workflow!
When workflow metadata embedding is enabled, the console will show:
β¨ ComfyUI workflow metadata will be embedded in signature
β
C2PA signing successful
πΎ Saved: C:/Users/.../output/C2PA_signed_20251006_123456.png
That β¨ tells you the workflow was successfully embedded!
When you use the C2PA Verifier on a signed image with workflow metadata, you'll see:
β
C2PA Manifest Found
π Signature: Valid
π Assertions: 2
β’ stds.schema-org.CreativeWork
β’ com.comfyui.workflow
The com.comfyui.workflow assertion contains your full workflow! You can view it in the full manifest JSON output.
Privacy Warning: Your workflow JSON may contain:
- File paths from your computer
- Model names and locations
- Node settings and parameters
- Prompt text (including any sensitive info you typed)
If you're signing images publicly, review your workflow JSON first and remove any private information you don't want to share.
When to Use This:
- β Sharing AI art with full attribution
- β Professional work requiring provenance
- β Educational content showing your process
- β Open-source creative projects
When NOT to Use This:
- β Private work with sensitive paths/prompts
- β Commercial work with proprietary techniques
- β When you want to keep your process secret
If you don't need it: Just leave include_workflow_metadata set to "disable" (the default). Your images will still be signed normally, just without the workflow data embedded.
The C2PA Verifier node lets you read and display C2PA manifests from signed images directly in ComfyUI.
Important: C2PA signatures are stored in the file's metadata, not in the image pixels. When images flow through ComfyUI as tensors, they lose this metadata. Therefore, to verify a signed image, you need to provide the file path to the actual signed file on disk.
Your verification workflow looks like this:
[Load Image] β [C2PA Verifier] β [Preview Any or Show Text]
The Node Inputs:
-
image (required, connect from Load Image)
- This is for ComfyUI workflow compatibility
- The verifier needs a tensor input, but won't use it for verification
-
file_path (optional, but required for actual verification)
- The full path to a signed image file on disk
- Example:
C:/Users/YourName/Documents/ComfyUI/output/C2PA_signed_20251006_094628.png β οΈ Use forward slashes/not backslashes\
The Node Outputs:
- manifest_json - Full C2PA manifest as JSON (technical details)
- summary - Human-readable summary showing:
- β Whether a manifest was found
- π Signature validation status
- π€ Issuer/creator information
- π List of assertions (metadata)
- image - Passthrough of input image for workflow chaining
-
Sign an image:
[Load Image] β [C2PA Image Signer]Run this workflow and note the output path shown in the console
-
Verify the signed image:
[Load Image] β [C2PA Verifier] β [Preview Any]- In the C2PA Verifier node, paste the full file path to your signed image
- Connect the output to Preview Any or Show Text to see the verification results
- You should see "β C2PA Manifest Found" with signature details
If verification succeeds:
β
C2PA Manifest Found
π Signature: Valid
π€ Issuer: C2PA Test Signing Cert
π Algorithm: es256
π Assertions: 1
β’ stds.schema-org.CreativeWork
If you forget to enter the file_path:
β No C2PA manifest found
This is expected! Image tensors don't include file metadata.
π To verify a signed image:
1. Sign an image (check the output folder for the saved file)
2. Enter the full path to that file in the 'file_path' field above
Example: C:/Users/YourName/Documents/ComfyUI/output/C2PA_signed_20251006_094628.png
Why can't the verifier read from the tensor?
C2PA signatures are stored in the image file's metadata, not in the pixel data. When an image flows through ComfyUI, only the pixel values (the tensor) are passed along - the file metadata is left behind. This is why you need to provide the file path to the actual signed file on disk.
You can embed extra information in your signatures using the manifest_json field. This is optional but powerful!
Paste this into the manifest_json field:
{
"assertions": [
{
"label": "stds.schema-org.CreativeWork",
"data": {
"@context": "https://schema.org",
"@type": "CreativeWork",
"author": [
{
"@type": "Person",
"name": "Your Name Here"
}
]
}
}
]
}This embeds your name as the creator. Anyone who verifies the signature will see this.
If you're making AI art, add this info:
{
"assertions": [
{
"label": "com.example.ai-art",
"data": {
"model": "Stable Diffusion",
"prompt": "A beautiful sunset over mountains",
"workflow": "ComfyUI",
"created_date": "2025-10-06"
}
}
]
}Assertions are just pieces of information you're "asserting" (claiming) about the image. Think of them like adding tags or notes that get sealed with your signature.
Common things to include:
- Who created it (your name)
- When it was created
- What tools/software were used
- If it's AI-generated or photographed
- Copyright information
- Licensing details
After signing an image, you can verify it contains a signature in two ways:
Use the C2PA Verifier node in ComfyUI:
- Add the C2PA Verifier node to your workflow
- Paste the full path to your signed image in the
file_pathfield - Connect to Preview Any or Show Text
- Run the workflow
- You should see "β C2PA Manifest Found" with signature details
See the Verifying Signed Images section above for detailed instructions.
-
Open Command Prompt
-
Type:
c2patool "<ComfyUI_path>/output/C2PA_signed_20251006_094628.png"(Use your actual filename)
-
You should see a bunch of information about the signature, including:
- β
"validation_state": "Valid"(the signature is good!) - Your certificate information
- Any assertions you added
- β
If you see "validation_state": "Valid", congratulations! Your image is signed and verified! π
What it means: Windows can't find the c2patool program.
How to fix:
- Make sure you extracted c2patool to a folder
- Make sure you added that folder to your Windows PATH
- Restart ComfyUI after changing PATH
- Test by typing
c2patool --versionin Command Prompt
What it means: There's a typo in your manifest_json field.
How to fix:
- Check for missing commas or brackets
- Use a JSON checker: https://jsonlint.com/
- Start simple with just
{}and add things one at a time
What it means: The file paths are wrong.
How to fix:
- Make sure you use forward slashes:
C:/Users/... - Don't use backslashes:
C:\Users\...(this won't work) - Copy-paste the full path to avoid typos
- Make sure the files actually exist in that location
The Problem: When you run an image through SaveImage, ComfyUI re-processes it and strips out the C2PA signature.
Why: SaveImage converts the image back to pixels and re-saves it, which loses all the extra signature data.
The Solution: The C2PA Signer already saves the file for you! You don't need SaveImage.
Yes! The signature is invisible. The image looks identical to humans.
The signature is stored in the file's metadata (invisible data), not in the pixels you see. The file will be slightly larger (a few KB) because of this extra data.
To verify it worked, use: c2patool your-image.png
The certificates included with this node are official test certificates from the c2patool project. Here's what that means:
For Testing/Learning:
- β Perfect for experimenting
- β Works completely
- β Signatures verify as valid
- β Free to use
Limitations:
β οΈ Everyone has these same certificatesβ οΈ Not unique to youβ οΈ Won't prove YOU specifically made somethingβ οΈ Not accepted for professional/commercial use
Think of it like using a practice signature vs. your real signature on legal documents.
You need real certificates if:
- You're releasing images publicly
- You want to prove YOU made them (not just "someone")
- You're doing commercial or professional work
- You need legal authenticity
How to get them: You'd get a certificate from a "Certificate Authority" (an organization that verifies identities). This is beyond the scope of testing, but when you're ready, look into:
- Professional certificate providers
- Industry-specific certificate authorities
- Enterprise solutions from C2PA members
For now, the test certificates are perfect for learning!
Want to understand C2PA better? Check out:
- C2PA Official Site: https://c2pa.org/
- c2patool Documentation: https://github.com/contentauth/c2pa-rs/tree/main/cli
- Technical Specification: https://c2pa.org/specifications/ (if you're curious!)
- Read SETUP_GUIDE.md for detailed explanations
- Check EXAMPLES.md for workflow examples
- Review the troubleshooting section above
This custom node is free to use. The c2patool program is created by the Content Authenticity Initiative and is licensed under Apache License 2.0 / MIT.