This guide provides detailed information on installing, configuring, and using the C2PA ML CLI tool.
- Installation
- Command Line Reference
- Configuration Options
- Storage Backends
- TEE Attestation
- Troubleshooting
- Rust toolchain (1.58 or later)
- OpenSSL development libraries
# Clone repositories
git clone https://github.com/IntelLabs/atlas-cli
# Build CLI
cd atlas-cli && make
# Install (optional)
make installThe Atlas CLI currently supports Intel TDX 1.5 or later for Ubuntu systems on select Google Cloud Engine instances.
apt install protobuf-compiler
cargo build --features with-tdx
make installThe C2PA ML CLI provides the following main commands:
atlas-cli model [SUBCOMMAND]
Subcommands:
create- Create a new model manifestlist- List all model manifestsverify- Verify a model manifestlink-dataset- Link a dataset to a model
atlas-cli dataset [SUBCOMMAND]
Subcommands:
create- Create a new dataset manifestlist- List all dataset manifestsverify- Verify a dataset manifest
atlas-cli manifest [SUBCOMMAND]
Subcommands:
link- Link manifests togethershow- Show manifest detailsvalidate- Validate manifest cross-referencesverify-link- Verify a specific link between two manifestsexport- Export provenance graph information
atlas-cli evaluation [SUBCOMMAND]
Subcommands:
create- Create a new evaluation result manifestlist- List all evaluation resultsverify- Verify an evaluation result manifest
atlas-cli software [SUBCOMMAND]
Subcommands:
create- Create a new software component manifestlist- List all software component manifestsverify- Verify a software component manifestlink-model- Link software to a modellink-dataset- Link software to a dataset
Generate signing keys:
make generate-keysThis creates:
private.pem- Private key for signingpublic.pem- Public key for verification
The CLI supports two output formats:
json- Human-readable JSON (default)cbor- Compact binary format
Specify the format using the --format flag:
atlas-cli model create --format=json ...
atlas-cli model create --format=cbor ...Most commands support the following flags:
--print- Display the manifest without storing it--key=<path>- Path to private key for signing--storage-type=<type>- Storage backend type (database, filesystem)--storage-url=<url>- URL or path for the storage backend
Uses a custom HTTP API with MongoDB backend:
atlas-cli model create \
--storage-type=database \
--storage-url=http://localhost:8080 \
...Stores manifests in the local filesystem:
atlas-cli model create \
--storage-type=filesystem \
--storage-url=./storage \
...Stores manifests in a Rekor transparency log:
export REKOR_URL=https://rekor.example.com
atlas-cli model create \
--storage-type=rekor \
...When built with the with-tdx feature, you can both create attested manifests and verify
the guest integrity:
atlas-cli model create \
--with-tdx \
...Important: Cryptographic key generation and management are the responsibility of the end user. The security of your C2PA manifests depends entirely on the strength and proper management of your keys.
Generate signing keys using the provided Makefile:
make generate-keysThis creates:
private.pem - Private key for signing public.pem - Public key for verification
For custom key generation with specific requirements:
# Generate a strong 4096-bit RSA private key (recommended)
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096
# Extract the public key
openssl rsa -pubout -in private_key.pem -out public_key.pemKey Requirements:
- RSA keys: minimum 2048 bits (4096 bits recommended)
- EC keys: use approved curves (P-256, P-384, or P-521)
- Follow key management best practices, and use a well-known key management service (KMS) when possible.
- Never commit private keys to version control
- Rotate keys regularly according to your security policy
The Atlas CLI supports multiple hash algorithms for signing manifests:
Uses SHA-384 by default (recommended)
atlas-cli model create --key=private.pem ...
# Use SHA-512 for maximum security
atlas-cli model create --key=private.pem --hash-algo=sha512 ...
Available algorithms:
- sha384 - Default, recommended for security/performance balance
- sha256 - For backward compatibility with existing systems
- sha512 - Maximum security for sensitive applications
The --hash-alg flag is supported by all creation commands:
model create
dataset create
software create
evaluation create
- ONNX (.onnx)
- TensorFlow (.pb)
- PyTorch (.pt, .pth)
- Keras (.h5)
- Any directory structure
- Common formats: CSV, JSON, NPY, etc.
If you encounter errors connecting to a storage backend:
- Verify the storage URL is correct
- Check if the storage service is running
- Verify network connectivity
- For database storage, check MongoDB is running
If you encounter signing-related errors:
- Verify the private key path is correct
- Ensure the key is in PEM format
- Check file permissions on the key file
If you encounter "file not found" errors when creating manifests:
- Verify the paths provided exist
- Use absolute paths to avoid working directory issues
- Check file permissions
For more detailed help on any command, you can use the --help flag:
atlas-cli --help
atlas-cli model --help
atlas-cli model create --helpTo enable debug logging, set the RUST_LOG environment variable:
RUST_LOG=debug atlas-cli ...