Merge branch 'main' into dependabot/cargo/sdk/range-set-0.0.11

.github/workflows/ci.yml

@@ -1,6 +1,6 @@
 name: CI
 
-on:  
+on:
   pull_request:
   push:
     branches: main
@@ -16,12 +16,12 @@ jobs:
       fail-fast: false
       matrix:
         os: [windows-latest, macos-latest, ubuntu-latest]
-        rust_version: [stable, 1.73.0]
+        rust_version: [stable, 1.74.0]
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
@@ -31,7 +31,7 @@ jobs:
         uses: Swatinem/rust-cache@v2
 
       - name: Run unit tests
-        run: cargo test --all-features --verbose 
+        run: cargo test --all-features --verbose
 
   tests-cross:
     name: Unit tests
@@ -41,12 +41,12 @@ jobs:
       fail-fast: false
       matrix:
         target: [aarch64-unknown-linux-gnu]
-        rust_version: [stable, 1.73.0]
+        rust_version: [stable, 1.74.0]
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
@@ -73,10 +73,10 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
-          
+
       - name: Install wasm-pack
         run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
 
@@ -96,7 +96,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@nightly
         with:
@@ -121,7 +121,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@master
         with:
@@ -140,7 +140,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
 
@@ -179,7 +179,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install nightly Rust toolchain
         # Nightly is used here because the docs.rs build
         # uses nightly and we use doc_cfg features that are
@@ -225,7 +225,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@nightly
 
@@ -244,7 +244,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-        
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
 

CHANGELOG.md

@@ -6,6 +6,57 @@ This project adheres to [Semantic Versioning](https://semver.org), except that 
 
 Do not manually edit this file. It will be automatically updated when a new release is published.
 
+## 0.32.7
+_18 July 2024_
+
+* Ensure Ingredient data_types make it to the store and back. ([#514](https://github.com/contentauth/c2pa-rs/pull/514))
+* draft security md ([#508](https://github.com/contentauth/c2pa-rs/pull/508))
+* Make data_types field optional when serializing data-box-map ([#512](https://github.com/contentauth/c2pa-rs/pull/512))
+* Fix box hash placeholder len (set to 1) ([#511](https://github.com/contentauth/c2pa-rs/pull/511))
+* Set data box placeholder len to at least 1 for GIF ([#510](https://github.com/contentauth/c2pa-rs/pull/510))
+* Rewind mp3 streams when reading/writing ([#509](https://github.com/contentauth/c2pa-rs/pull/509))
+* Update README.md ([#351](https://github.com/contentauth/c2pa-rs/pull/351))
+* Add GIF support ([#489](https://github.com/contentauth/c2pa-rs/pull/489))
+* Update image requirement from 0.24.7 to 0.25.1 in /make_test_images ([#445](https://github.com/contentauth/c2pa-rs/pull/445))
+* Upgrade uuid to 1.7.0 & fix removed wasm-bindgen feature ([#450](https://github.com/contentauth/c2pa-rs/pull/450))
+* Expose `SignatureInfo` publicly ([#501](https://github.com/contentauth/c2pa-rs/pull/501))
+* Cleanup empty/unused files + lints ([#500](https://github.com/contentauth/c2pa-rs/pull/500))
+
+## 0.32.6
+_15 July 2024_
+
+* Fetching of databoxes must always use HashedURI to enforce hash checks. ([#505](https://github.com/contentauth/c2pa-rs/pull/505))
+* Temporarily allow unused `JsonAssertionData` to fix unused error in CI ([#498](https://github.com/contentauth/c2pa-rs/pull/498))
+* Add remote manifest support to MP3 ([#496](https://github.com/contentauth/c2pa-rs/pull/496))
+
+## 0.32.5
+_28 June 2024_
+
+* (PATCH) ensures temp files are removed ([#494](https://github.com/contentauth/c2pa-rs/pull/494))
+* Update async_generic to 1.1 ([#493](https://github.com/contentauth/c2pa-rs/pull/493))
+
+## 0.32.4
+_25 June 2024_
+
+* Add data_type (future) to Ingredient_V2 ([#490](https://github.com/contentauth/c2pa-rs/pull/490))
+* Let's not assume that third-party assertions are using serde_cbor ([#491](https://github.com/contentauth/c2pa-rs/pull/491))
+
+## 0.32.3
+_24 June 2024_
+
+* External placed manifest ([#472](https://github.com/contentauth/c2pa-rs/pull/472))
+* Support metadata field in claims. ([#488](https://github.com/contentauth/c2pa-rs/pull/488))
+
+## 0.32.2
+_19 June 2024_
+
+* Add iterators over manifests and resources in unstable API ([#482](https://github.com/contentauth/c2pa-rs/pull/482))
+* OCSP certificate should be valid at signing time ([#481](https://github.com/contentauth/c2pa-rs/pull/481))
+* url crate version 2.5.1 introduces new license "Unicode-3.0" ([#483](https://github.com/contentauth/c2pa-rs/pull/483))
+* Implement `Debug` w/ detailed manifest for `Reader` ([#473](https://github.com/contentauth/c2pa-rs/pull/473))
+* Bump MSRV to 1.74 ([#478](https://github.com/contentauth/c2pa-rs/pull/478))
+* Allow empty Merkle proof for last leaf node. ([#470](https://github.com/contentauth/c2pa-rs/pull/470))
+
 ## 0.32.1
 _10 May 2024_
 

README.md

@@ -29,7 +29,7 @@ We welcome contributions to this project.  For information on contributing, prov
 
 ## Requirements
 
-The library requires **Rust version 1.73.0** or newer.
+The library requires **Rust version 1.74.0** or newer.
 
 ### Supported platforms
 
@@ -42,31 +42,33 @@ The library has been tested on the following operating systems:
 
 ## Supported file formats
 
- | Extensions    | MIME type                                           |
- | ------------- | --------------------------------------------------- |
- | `avi`         | `video/msvideo`, `video/avi`, `application-msvideo` |
- | `avif`        | `image/avif`                                        |
- | `c2pa`        | `application/x-c2pa-manifest-store`                 |
- | `dng`         | `image/x-adobe-dng`                                 |
- | `heic`        | `image/heic`                                        |
- | `heif`        | `image/heif`                                        |
- | `jpg`, `jpeg` | `image/jpeg`                                        |
- | `m4a`         | `audio/mp4`                                         |
- | `mp4`         | `video/mp4`, `application/mp4`                      |
- | `mov`         | `video/quicktime`                                   |
- | `png`         | `image/png`                                         |
- | `svg`         | `image/svg+xml`                                     |
- | `tif`,`tiff`  | `image/tiff`                                        |
- | `wav`         | `audio/wav`                                         |
- | `webp`        | `image/webp`                                        |
+ | Extensions    | MIME type                                                                     |
+ | ------------- | ----------------------------------------------------------------------------- |
+ | `avi`         | `video/msvideo`, `video/x-msvideo`, `video/avi`, `application/x-troff-msvideo`|
+ | `avif`        | `image/avif`                                                                  |
+ | `c2pa`        | `application/x-c2pa-manifest-store`                                           |
+ | `dng`         | `image/x-adobe-dng`                                                           |
+ | `heic`        | `image/heic`                                                                  |
+ | `heif`        | `image/heif`                                                                  |
+ | `jpg`, `jpeg` | `image/jpeg`                                                                  |
+ | `m4a`         | `audio/mp4`                                                                   |
+ | `mp4`         | `video/mp4`, `application/mp4`                                                |
+ | `mov`         | `video/quicktime`                                                             |
+ | `png`         | `image/png`                                                                   |
+ | `svg`         | `image/svg+xml`                                                               |
+ | `tif`,`tiff`  | `image/tiff`                                                                  |
+ | `wav`         | `audio/wav`                                                                   |
+ | `webp`        | `image/webp`                                                                  |
+ | `mp3`         | `audio/mpeg`                                                                  |
+ | `gif`         | `image/gif`                                                                   |
 
 ## Usage
 
 Add this to your `Cargo.toml`:
 
 ```toml
 [dependencies]
-c2pa = "0.32.1"
+c2pa = "0.32.7"
 ```
 
 If you want to read or write a manifest file, add the `file_io` dependency to your `Cargo.toml`.

SECURITY.md

@@ -0,0 +1,22 @@
+# Security
+
+This C2PA open-source library is maintained in partnership with Adobe. At this time, Adobe is taking point on accepting security reports through its HackerOne portal and public bug bounty program.
+
+## Reporting a vulnerability
+
+Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). If for some reason this is not possible, reach out to [email protected].
+
+
+## Vulnerability SLAs
+
+Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are:
+
+1. 72 hours for vulnerabilities with a CVSS score of 9.0-10.0
+2. 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9
+
+Any vulnerability with a score below 6.9 will be resolved when possible.
+
+
+## C2PA Vulnerabilities
+
+This library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported [here](https://github.com/c2pa-org/specifications/issues).

export_schema/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "export_schema"
-version = "0.32.1"
+version = "0.32.7"
 authors = ["Dave Kozma <[email protected]>"]
 license = "MIT OR Apache-2.0"
 edition = "2018"
-rust-version = "1.73.0"
+rust-version = "1.74.0"
 
 [dependencies]
 anyhow = "1.0.40"

make_test_images/Cargo.toml

@@ -1,20 +1,20 @@
 [package]
 name = "make_test_images"
-version = "0.32.1"
+version = "0.32.7"
 authors = ["Gavin Peacock <[email protected]>"]
 license = "MIT OR Apache-2.0"
 edition = "2021"
-rust-version = "1.73.0"
+rust-version = "1.74.0"
 
 [dependencies]
 anyhow = "1.0.40"
 c2pa = { path = "../sdk", default-features = false, features = [
 	"openssl",
 	"unstable_api",
 ] }
-env_logger = "0.10"
+env_logger = "0.11"
 log = "0.4.8" 
-image = { version = "0.24.7", default-features = false, features = [
+image = { version = "0.25.1", default-features = false, features = [
 	"jpeg",
 	"png",
 ] }
@@ -24,4 +24,3 @@ regex = "1.5.6"
 serde = "1.0.197"
 serde_json = { version = "1.0.114", features = ["preserve_order"] }
 tempfile = "3.10.1"
-

make_test_images/src/make_thumbnail.rs

@@ -18,7 +18,6 @@ use image::{io::Reader, ImageFormat};
 
 // max edge size allowed in pixels for thumbnail creation
 const THUMBNAIL_LONGEST_EDGE: u32 = 1024;
-const THUMBNAIL_JPEG_QUALITY: u8 = 80;
 
 ///  utility to generate a thumbnail from a stream
 /// returns Result (format, image_bits) if successful, otherwise Error
@@ -43,11 +42,8 @@ pub fn make_thumbnail_from_stream<R: Read + Seek + ?Sized>(
     // for png files, use png thumbnails for transparency
     // for other supported types try a jpeg thumbnail
     let (output_format, format) = match format {
-        ImageFormat::Png => (image::ImageOutputFormat::Png, "image/png"),
-        _ => (
-            image::ImageOutputFormat::Jpeg(THUMBNAIL_JPEG_QUALITY),
-            "image/jpeg",
-        ),
+        ImageFormat::Png => (ImageFormat::Png, "image/png"),
+        _ => (ImageFormat::Jpeg, "image/jpeg"),
     };
     let thumbnail_bits = Vec::new();
     let mut cursor = std::io::Cursor::new(thumbnail_bits);

sdk/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "c2pa"
-version = "0.32.1"
+version = "0.32.7"
 description = "Rust SDK for C2PA (Coalition for Content Provenance and Authenticity) implementors"
 authors = [
 	"Maurice Fisher <[email protected]>",
@@ -17,7 +17,7 @@ readme = "../README.md"
 keywords = ["xmp", "metadata"]
 categories = ["api-bindings"]
 edition = "2021"
-rust-version = "1.73.0"
+rust-version = "1.74.0"
 exclude = ["tests/fixtures"]
 
 [package.metadata.docs.rs]
@@ -59,13 +59,12 @@ name = "v2api"
 required-features = ["unstable_api"]
 
 
-
 [lib]
 crate-type = ["lib"]
 
 [dependencies]
 asn1-rs = "0.5.2"
-async-generic = "0.1.2"
+async-generic = "1.1"
 async-trait = { version = "0.1.77" }
 atree = "0.5.2"
 base64 = "0.21.2"
@@ -120,10 +119,10 @@ serde_with = "3.4.0"
 serde-transcode = "1.1.1"
 sha2 = "0.10.2"
 tempfile = "3.10.1"
-thiserror = "1.0.40"
+thiserror = "1.0.61"
 treeline = "0.1.0"
-url = "2.2.2"
-uuid = { version = "1.3.1", features = ["serde", "v4", "wasm-bindgen"] }
+url = "2.2.2, <2.5.1"  # Can't use 2.5.1 or newer until new license is reviewed.
+uuid = { version = "1.7.0", features = ["serde", "v4", "js"] }
 x509-parser = "0.15.1"
 x509-certificate = "0.19.0"
 zip = { version = "0.6.6", default-features = false }
@@ -161,7 +160,11 @@ web-sys = { version = "0.3.58", features = [
 [dev-dependencies]
 anyhow = "1.0.40"
 mockall = "0.11.2"
-c2pa = { path = ".", features = ["unstable_api"] } # allow integration tests to use the new API
+c2pa = { path = ".", features = [
+	"unstable_api",
+] } # allow integration tests to use the new API
+jumbf = "0.4.0"
+
 
 [target.'cfg(target_arch = "wasm32")'.dev-dependencies]
 wasm-bindgen-test = "0.3.31"

sdk/src/assertion.rs

@@ -471,6 +471,7 @@ impl Assertion {
     }
 }
 
+#[allow(dead_code)] // TODO: temp, see #498
 #[derive(Serialize, Deserialize, Debug)]
 pub(crate) struct JsonAssertionData {
     label: String,