Signed at publish.
Every post. Every time.
Signetto is a drop-in plugin for WordPress and Ghost that flags AI involvement in the editorial workflow, then embeds a tamper-evident C2PA manifest into every article and image you publish. Article 50 disclosure becomes automatic — not a process your newsroom has to remember.
Four stages. One second. Zero workflow change.
Every published asset passes through four verification stages before readers see it. Your editors keep working the way they do now.
Author hits publish
Signetto intercepts the draft at the CMS layer — WordPress plugin or Ghost webhook. No editor sees anything change.
AI involvement evaluated
The draft is evaluated against your newsroom ruleset and Article 50 requirements. AI-generated or AI-assisted content is declared in the manifest.
C2PA manifest signed
A signed manifest is minted via your Cloud KMS key and countersigned by a qualified RFC 3161 Timestamp Authority.
Proof ships with content
The manifest is embedded in the asset and written to your tamper-evident audit log. Anyone can verify. Only you can sign.
Under one second per asset. Less editorial friction than autosave.
Compliance infrastructure, not a compliance workflow.
Signetto is architected so editorial teams do not change how they work. Install the plugin, point it at your KMS, publish normally.
AI involvement declared at publish
Every save or schedule action evaluates the draft against your newsroom ruleset. AI-involved content is declared in the editor and in the signed manifest, so disclosure is factual, not editorial.
C2PA manifests bound to content
Assertions, claim, and signature follow C2PA v2.1. The signed hash binds the manifest to the exact bytes on your page. Any tampering breaks verification.
Keys in Cloud KMS, never in your host
Private keys live in Google Cloud KMS in the EU europe multi-region. Signing operations happen remotely. Your private key is never extractable — not even by Signetto.
RFC 3161 timestamps
Every signature is countersigned by an independent Timestamp Authority, giving regulators an auditable record of when content was signed.
Exportable audit logs
Records who signed what, when, with which Cloud KMS CryptoKeyVersion. Built for Article 50 inquiry response — not a black box. Append-only audit log with indefinite retention.
Verifiable anywhere
Content Credentials from Adobe, any C2PA-compliant verifier, and Google Search integrations — Signetto-signed content validates everywhere in the C2PA ecosystem.
Anyone can verify. Only you can sign.
Signetto-signed posts expose a standard C2PA manifest at /content-credentials.json. Any compliant verifier reads the signature, checks the timestamp, and confirms content integrity — without contacting Signetto.
Signature valid
Content matches signed hash. Timestamp verified.
- Publisher
- news.example.eu
- Algorithm
- ECDSA P-256 (ES256)
- Content hash
- sha256:8f2a0e94…c4d1e7
- Signed at
- 2026-08-02T14:07:22Z
- Timestamp
- timestamp.sectigo.com · RFC 3161
- AI involvement
- Declared · assisted · translation
Approved member of the Content Authenticity Initiative
Built on the same C2PA provenance standard adopted by Adobe, the BBC, Microsoft, Reuters, and the broader CAI ecosystem.
Where Signetto fits
Native integrations for the publishing platforms European newsrooms run on.
WordPress
At launchPlugin from the WordPress.org directory. Installs in under five minutes. Compatible with Gutenberg and Classic Editor. Multisite supported.
Ghost
At launchAdmin API integration for self-hosted Ghost 5.x and Ghost Pro. Webhook-driven sealing on publish.
REST API
At launchDirect signing endpoint for any CMS, static site generator, or custom publishing workflow. OpenAPI 3.1 specification on request.
Your platform
On requestDrupal, Contentful, Kirby, Strapi, or something bespoke. Tell us at [email protected].
Get early access before 2 August 2026.
Signetto is in private beta with a small cohort of European publishers. Request access and we will reach out with integration details for your CMS.
Notes from the signing pipeline.
Long-form writing on content provenance, cryptographic signing, and EU regulation as it applies to digital publishers.
Questions from compliance leads.
Does Signetto change our editorial workflow?
No. The plugin hooks into the publish action your editors already use. They write, edit, and hit publish the same way they do today. Signing happens in the background in under a second. The only visible change is a verification badge on the public page.
Who qualifies as a "deployer" under Article 50?
Under Regulation 2024/1689, a deployer is any natural or legal person using an AI system under its own authority. For digital publishers, that includes newsrooms using AI for translation, summarisation, image generation, or editorial assistance. Article 50 disclosure obligations apply to the deployer — not to the AI model provider.
What does verification look like for a reader?
A small Content Credentials badge on the page. Clicking it opens a panel with publisher identity, signing time, and declared AI involvement. The manifest itself is a standard C2PA JSON blob that any compliant verifier — Adobe's Content Credentials tool, any C2PA-compliant verifier, and browser integrations — can read without talking to Signetto.
What happens if content is edited after signing?
Verification fails, and the badge reads TAMPERED. Republishing re-signs and records the update in your audit log, with the prior hash and reason for change preserved. Regulators see a complete edit history, cryptographically bound.
Is Signetto hosted in the EU?
Yes. Signing infrastructure runs in the EU `europe` multi-region of Google Cloud (underlying zones in Belgium, Finland, Netherlands, and Frankfurt). Audit logs and manifest storage are EU-resident. The qualified Timestamp Authority is operated by an EU trust service provider.
The signing pipeline should be live long before enforcement.
Two months between the final Code of Practice and the enforcement deadline. The publishers who integrate now will not be filing extensions in August.