scripts/verify.sh

#!/usr/bin/env bash

if [ "$TRUEPIC_DEBUG" = "2" ]; then
  set -xeo pipefail
else
  set -eo pipefail
fi

debug_echo() {
    if [ -n "$TRUEPIC_DEBUG" ]; then
        echo "$@"
    fi
}

MEDIA_FILE=$(readlink -f "$1")

TRUEPIC_CLI=/home/user/app/truepic
STEG_SCRIPTS=/home/user/app/scripts/

filename=$(basename "${MEDIA_FILE}")
extension="${filename##*.}"
if [ "${extension}" = "jpg" ] || [ "${extension}" = "jpeg" ]; then
  mime_type="image/jpeg"
else
  if [ "${extension}" = "png" ]; then
    mime_type="image/png"
  else
    echo "Unsupported file extension: ${extension}"
    exit 1
  fi
fi

debug_echo -n "Checking for C2PA data in the media..."
set +e
verification_json=$(${TRUEPIC_CLI} verify $MEDIA_FILE 2>&1)
set -e

if jq -e . <<< "$verification_json" >/dev/null 2>&1; then
  c2pa_manifest_found=true
  debug_echo " embedded C2PA manifest found."
else
  c2pa_manifest_found=false
  debug_echo " no embedded C2PA manifest found."
fi

debug_echo
debug_echo -n "Uploading media to steg.ai..."
media_id=$(${STEG_SCRIPTS}/upload.sh ${MEDIA_FILE} $mime_type)
debug_echo " --> media_id=${media_id}"

debug_echo
debug_echo -n "Detecting a watermark..."
decode_response=$(
  curl -s https://api.steg.ai/decode_image_async \
    -H "x-api-key: ${STEG_AI_API_KEY}" \
    --data-raw '{ "media_id": "'${media_id}'" }'
)
request_id=$(echo "$decode_response" | jq -r '.data.request_id')

if [ -z "$request_id" ] || [ "$request_id" = "null" ]; then
  debug_echo
  echo "No request_id"
  exit 1;
fi

status_response=""
decode_status=""
while [ "$decode_status" != "Completed." ]; do
  sleep 1
  debug_echo -n ".."
  status_response=$(
    curl -s https://api.steg.ai/media_status?request_id=${request_id} \
      -H "x-api-key: ${STEG_AI_API_KEY}"
  )
  decode_status=$(echo "${status_response}" | jq -r '.data.status')
done

original_id=$(echo "${status_response}" | jq -r '.data.media_data.custom' | jq -r '.original_id')
manifest_id=$(echo "${status_response}" | jq -r '.data.media_data.custom' | jq -r '.manifest_id')
watermark_signature=$(echo "${status_response}" | jq -r '.data.media_data.custom' | jq -r '.watermark_signature')

if [ -z "$manifest_id" ] || [ "$manifest_id" = "null" ]; then
  debug_echo
  debug_echo "No manifest_id"
else
  debug_echo " --> media_id=${manifest_id}"
fi

debug_echo
debug_echo -n "Deleting uploaded media (${media_id}) from steg.ai... "
delete_result=$(
  curl -s https://api.steg.ai/asset \
    -X DELETE \
    -H "x-api-key: ${STEG_AI_API_KEY}" \
    --data-raw '{
        "media_id" : "'${media_id}'"
      }'
)
if [ -n "${TRUEPIC_DEBUG}" ]; then echo ${delete_result} | jq -r '.message'; fi

if [ -z "$manifest_id" ] || [ "$manifest_id" = "null" ]; then
  echo "Contains C2PA manifest: ${c2pa_manifest_found}"
  echo "Contains watermark: false"
  echo "Original watermarked media: n/a"
  exit 0
fi

debug_echo
debug_echo -n "Downloading original watermarked media..."
original_info=$(curl -s https://api.steg.ai/asset?media_id=${original_id} -H "x-api-key: ${STEG_AI_API_KEY}")
original_url=$(echo ${original_info} | jq -r '.data[0].path')
downloaded_original=$(mktemp).${extension}
curl -s -o ${downloaded_original} ${original_url}
debug_echo " --> ${downloaded_original}"

debug_echo
debug_echo -n "Downloading new manifest..."
manifest_info=$(curl -s https://api.steg.ai/asset?media_id=${manifest_id} -H "x-api-key: ${STEG_AI_API_KEY}")
manifest_url=$(echo ${manifest_info} | jq -r '.data[0].path')
downloaded_manifest=$(mktemp).bin
curl -s -o ${downloaded_manifest} ${manifest_url}
debug_echo " --> ${downloaded_manifest}"

debug_echo
debug_echo -n "Inserting new manifest into media file..."
${TRUEPIC_CLI} manifest insert ${downloaded_manifest} ${downloaded_original} --output watermarked_original.${extension} > /dev/null 2>&1
debug_echo " --> watermarked_original.${extension}"
rm -f ${downloaded_original}
rm -f ${downloaded_manifest}

debug_echo
debug_echo "Checking the manifest."
verification_json=$(${TRUEPIC_CLI} verify watermarked_original.${extension})

hash_status=$(
  echo "${verification_json}" | \
  jq -r '.manifest_store[] | select(.is_active == true) | .assertions."c2pa.hash.data"[0].status'
)
if echo "${verification_json}" | jq -e '.manifest_store[0].assertions."c2pa.thumbnail.claim.jpeg"' >/dev/null; then
  thumbnail_key="c2pa.thumbnail.claim.jpeg"
else
  if echo "${verification_json}" | jq -e '.manifest_store[0].assertions."c2pa.thumbnail.claim.png"' >/dev/null; then
    thumbnail_key="c2pa.thumbnail.claim.png"
  else
    echo "Couldn't find thumbnail assertion in the C2PA manifest."
    exit 1
  fi
fi
thumbnail_hash=$(
  echo "${verification_json}" | \
  jq -r '.manifest_store[0].assertions."'${thumbnail_key}'"[0].thumbnail_id'
)
timestamp=$(
  echo "${verification_json}" | \
  jq -r '.manifest_store[0].trusted_timestamp.timestamp'
)
public_key=$(
  echo "${verification_json}" | \
  jq -r '.manifest_store[0].certificate.cert_der' | \
  base64 -d | \
  openssl x509 -pubkey -noout
)

debug_echo -n "Checking watermark signature... ${thumbnail_hash}|${timestamp} ... ${watermark_signature} ..."
signature_verification=$(
  openssl dgst -sha256 \
    -verify <(echo "${public_key}") \
    -signature <(echo "${watermark_signature}" | base64 -d) \
    <(echo "${thumbnail_hash}|${timestamp}")
)

if [ "${signature_verification}" != "Verified OK" ]; then
  debug_echo " FAILED"
  echo "Watermark signature verification failed"
  exit 1
fi
debug_echo " ${signature_verification}"

debug_echo -n "Checking image hash..."
if [ "$hash_status" = "VALID" ]; then
  debug_echo " hashes match."
  if [ -n "$TRUEPIC_DEBUG" ]; then echo "${verification_json}" | jq; fi

  echo "Contains C2PA manifest: ${c2pa_manifest_found}"
  echo "Contains watermark: true"
  echo "Original watermarked media: watermarked_original.${extension}"
  exit 0
fi
debug_echo " hashes DON'T match!"
rm -f watermarked_original.${extension}