Can someone explain how the hash assertion for the video file "video/mp4/truepic-20230212-zoetrope.mp4" is generated?
truepic-20230212-zoetrope.mp4 has the following boxes
ftyp
uuid
free: offset 00 00 76 08
mdat : offset 00 00 82 80
moov: offset 00 EB C5 4A
Hash assertion contains hash
"hash": "nEzS9vlbVhdhYr8FO8gtNdLvKPaPz0iAaDj4y6Q5pV0="
If I extract the boxes from mp4
mp4extract moov truepic-20230212-zoetrope.mp4 moov.dat
mp4extract mdat truepic-20230212-zoetrope.mp4 mdat.dat
and append the offsets at the beginning of moov and mdat. 00 00 82 80 || mdat.dat || 00 EB C5 4A || moov.dat, the generated hash (shasum -a 256 mdat_moov.dat) gives bfddcea827141be1de70330fc642bc88d37d8f8d30d73986c1c2e8c0eccc657a = b64 "v93OqCcUG+HecDMPxkK8iNN9j40w1zmGwcLowOzMZXo=" which is not the same as hash mentioned in hash assertion.
Also, note at https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_bmff_based_hash
mentions:
Use 'free' boxes.
a. Determine reasonable maximum size(s) for the C2PA box(es) which will be embedded. All MP4 boxes for C2PA support unused padding bytes at the end, so it is fine to overestimate the size for the 'free' boxes because any extra bytes will be ignored.
b. Insert 'free' box(es) of said size(s) into the asset file(s) and update all offsets appropriately.
c. Perform hashing of the asset with "/free" on the exclusion list.
d. Create and sign the manifest. Create the C2PA box(es).
e. Overwrite the 'free' box(es) with the C2PA box(es).
Based on above note, should "free" be added to the exclusion list? I do not see it in the hash assertion exclusion list at
If free is taken into consideration, hash of "00 00 76 08 || free || 00 00 82 80 || mdat || 00 EB C5 4A || moov" gives hash (shasum -a 256 free_mdat_moov.dat): 0a81bb6473f7d4069e511661bfe38ca4021b780c0fe6d3c7b2366a06070ffefa = b64 "CoG7ZHP31AaeURZhv+OMpAIbeAwP5tPHsjZqBgcP/vo=" which is not the same as hash mentioned in hash assertion.
What am I missing here?
Can someone explain how the hash assertion for the video file "video/mp4/truepic-20230212-zoetrope.mp4" is generated?
truepic-20230212-zoetrope.mp4 has the following boxes
ftyp
uuid
free: offset 00 00 76 08
mdat : offset 00 00 82 80
moov: offset 00 EB C5 4A
Hash assertion contains hash
"hash": "nEzS9vlbVhdhYr8FO8gtNdLvKPaPz0iAaDj4y6Q5pV0="
If I extract the boxes from mp4
mp4extract moov truepic-20230212-zoetrope.mp4 moov.dat
mp4extract mdat truepic-20230212-zoetrope.mp4 mdat.dat
and append the offsets at the beginning of moov and mdat. 00 00 82 80 || mdat.dat || 00 EB C5 4A || moov.dat, the generated hash (shasum -a 256 mdat_moov.dat) gives bfddcea827141be1de70330fc642bc88d37d8f8d30d73986c1c2e8c0eccc657a = b64 "v93OqCcUG+HecDMPxkK8iNN9j40w1zmGwcLowOzMZXo=" which is not the same as hash mentioned in hash assertion.
Also, note at https://c2pa.org/specifications/specifications/2.0/specs/C2PA_Specification.html#_bmff_based_hash
mentions:
Based on above note, should "free" be added to the exclusion list? I do not see it in the hash assertion exclusion list at
public-testfiles/video/mp4/manifests/truepic-20230212-zoetrope/manifest_store.json
Line 136 in aa84e25
If free is taken into consideration, hash of "00 00 76 08 || free || 00 00 82 80 || mdat || 00 EB C5 4A || moov" gives hash (shasum -a 256 free_mdat_moov.dat): 0a81bb6473f7d4069e511661bfe38ca4021b780c0fe6d3c7b2366a06070ffefa = b64 "CoG7ZHP31AaeURZhv+OMpAIbeAwP5tPHsjZqBgcP/vo=" which is not the same as hash mentioned in hash assertion.
What am I missing here?