Nikon Can’t Fully Solve the Z6 III’s C2PA Problems Alone

Jeremy Gray

A Nikon Z-series mirrorless camera with no lens attached, showing the sensor, against a green and black abstract background.

Nikon suspended the brand new C2PA functionality introduced in the Nikon Z6 III’s first major firmware update after a major security issue was discovered. Nikon has taken the critical step to revoke all C2PA signatures issued before the C2PA functionality was taken offline, but a complete resolution will require changes to the C2PA validation tools themselves.

Nikon sent emails late last week to Nikon Imaging Cloud users who have registered to use the Nikon Authenticity Service, which drives the Z6 III‘s C2PA functionality and will presumably serve as the foundation for future Nikon Z cameras with C2PA.

“A technical issue was confirmed on September 4 with the provenance recording function, which complies with the C2PA standard and is included in the Nikon Authenticity Service provided in firmware version 2.00 for the Nikon Z6III (released on August 27, 2025). Nikon has since temporarily suspended the service while working diligently to resolve the issue,” the email writes, as shared with PetaPixel by Adam Horshack, the photographer who uncovered the Z6 III’s C2PA security flaw in the first place.

“Following the distribution of this email, the issuance of new certificates will be suspended in sequence. We sincerely regret that this issue affects customers like you who were among the first to explore this new feature. The digital certificates issued and loaded onto cameras during the period between the service launch and its suspension will be invalidated. Please be advised that the authenticity credentials attached to these images are no longer valid and cannot be used as proof of provenance.

“We sincerely apologize for the inconvenience and concern this issue may have caused.

“Nikon takes this matter very seriously and is committed to preventing recurrence and restoring trust in our services.

“We will announce the resumption of the service on Nikon Imaging Cloud website once the issue has been resolved.”

The section concerning the invalidation of issued certificates is vital. When PetaPixel initially covered the security flaw after speaking with Horshack, we suggested that an essential part of any resolution would be to revoke previously issued certificates.

At the time, Horshack had only managed to validate an image taken with a non-certified camera, which is already a big problem. However, in the following weeks, he even managed to get his C2PA-enabled Z6 III to sign an AI-generated image. 


A pug dressed as an airline pilot sits in an airplane cockpit, looking back. Outside the window, another jet labeled "Purr Airlines" flies among clouds. The image has a purple tint. Text at bottom reads “C2PA Signed by Horshack's Nikon Z6 III.”.
Adam Horshack created this AI-generated image of a pug piloting a plane. He was able to get it validated using the multiple exposure exploit on the Nikon Z6 III. | Credit: Adam Horshack

As Horshack described on DPReview‘s forums and explained to PetaPixel over email, he created an image of a pug flying an airplane using generative AI. Then he encoded the data into Nikon’s proprietary NEF file format. He then “grafted” the encoded data onto a “skeleton” NEF using his second non-C2PA-enabled Z6 III body, captured an image in the multiple exposure mode — which is the core vulnerability discovered earlier this month — and got the wholly AI-generated image signed and validated. Unlike Horshack’s original experiment, this is not a photo of a screenshot, but a 1:1 digital copy of an AI-generated source image.

When Nikon suspended its C2PA service, this only prevented new users from installing certificates on their Z6 III cameras. The suspension did not prevent existing users from signing new images, provided they do not synchronize their Z6 III with the Nikon Imaging Cloud. If a photographer syncs their camera, any installed certificates will be immediately removed, preventing new images from being signed.

There is also no way to prevent online validation tools from validating C2PA-signed images, even from cameras that have had their certification revoked, as Horshack and others have demonstrated. The C2PA SDK has the code available to check that an issuing camera’s certification has not been revoked. However, as Horshack explains, the default behavior of available validation tools is not to check. When the default behavior is overridden, forcing a validation check, Horshack’s C2PA-signed images do fail validation, which is the desired outcome in this case.

Unfortunately, this issue is outside Nikon’s hands and dependent upon the default behavior of various open-source validation tools. Horshack filed a GitHub issue yesterday for c2patool to make checking for license revocation its default behavior.

“In my opinion, Nikon has done everything they possibly could to quickly and comprehensively address the multi-exposure vulnerability,” Horshack tells PetaPixel. “Hopefully a forthcoming firmware update will remove the vulnerability and allow new C2PA certificates to be issued.”

Image credits: Nikon and Adam Horshack. Header photo created using an asset licensed via Depositphotos.

, ,
, , , , , , , ,
PetaPixel articles may include affiliate links; if you buy something through such a link, PetaPixel may earn a commission.
Related Articles
A digital illustration of an unlocked padlock, a cloud icon, and a Nikon camera, with colored lines connecting the cloud to the camera, suggesting cloud connectivity or unlocked access. Nikon Z6 III’s C2PA Functionality Has a Significant Security Vulnerability
A Nikon Z series mirrorless camera body is displayed against a red, geometric digital background. The camera lens is removed, revealing the image sensor inside. Nikon Suspends C2PA Functionality on the Z6 III Due to Authentication Issue
A Nikon Z series mirrorless camera is centered against a vibrant green and yellow abstract background. Nikon Z6 III’s First Major Firmware Update Adds Bird AF, Auto Capture, and C2PA
A Nikon Z series camera displayed without a lens against a textured background. The logo for the Content Authenticity Initiative appears below the camera. Nikon Will Add C2PA Content Credentials to the Z6 III by Next Year
Discussion