Skip to content

RedHorseMane/obravera_audio_auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

ObraVera Audio Authentication

Version: 0.1.0 Status: Active Development Architecture: GUI + CLI with Optional C2PA Support

Overview

Advanced audio authentication system that embeds cryptographically signed credentials into audio files with multi-layer verification. Features a desktop GUI application and comprehensive CLI tools for embedding, verifying, and recovering credentials even after aggressive audio processing.

Key Features

Multi-Layer Authentication

  • Layer 1: Metadata - Custom metadata (ID3v2, RIFF) for basic authentication
  • Layer 2: C2PA Manifest - Industry-standard Content Provenance and Authenticity (optional)
  • Layer 3: AudioSeal Watermark with ECC + Alpha Tuning - Deep learning-based watermark with error correction (12-bit data + 4-bit ECC) and optimized strength (alpha=1.2) for 100% loudness normalization resistance
  • Layer 4: Chromaprint Fingerprint - Acoustic fingerprint for tampering detection
  • Layer 5: Ed25519 Signature - Cryptographic proof of authenticity
  • Layer 6: Registry Recovery - Watermark-based credential recovery when metadata is stripped

Desktop GUI Application

  • CustomTkinter Interface: Modern desktop application for macOS, Linux, and Windows
  • Embed Tab: Drag-and-drop audio embedding with visual feedback
  • Verify Tab: Comprehensive verification with detailed diagnostics and recovery status display
  • Credential Management: Create and manage signed credentials
  • Scrollable Interfaces: All content accessible with responsive scrolling (Settings and Verify tabs)
  • Recovery Visualization: Clear display when credentials recovered via watermark registry or C2PA
  • Quality Testing: Built-in audio quality analysis tools
  • Batch Processing: Process multiple files efficiently

CLI Tool (Professional Use)

  • Simple Commands: One-line embedding and verification
  • Diagnostic Mode: Detailed failure analysis with recovery suggestions
  • Parallel Processing: Concurrent operations for 2-3x speedup
  • C2PA Support: Optional industry-standard compliance
  • Multi-Format: MP3, WAV, FLAC, OGG, AAC, M4A support
  • Recovery Modes: Automatic credential recovery via watermark registry

Advanced Error Handling

  • Corruption Analysis: Bit-level analysis of watermark corruption
  • Recovery Suggestions: Context-aware guidance for failed verifications
  • Diagnostic Information: Detailed metrics on authentication layer status
  • Failure Mode Detection: Identifies loudness normalization, transcoding, editing

Performance Optimizations

  • LRU Caching: Fast registry lookups (1000-entry cache)
  • Automatic Backups: Timestamped registry backups with integrity checking
  • Parallel Verification: Concurrent metadata/fingerprint/watermark extraction
  • Progressive Results: Real-time feedback during long operations

Quick Start

Installation

Minimal (Metadata Only)

# Installation options are still under development and will be released when the repo becomes public.

Basic Usage

GUI Application

# Launch desktop application
python -m obravera_audio.gui

# Or use the installed command
obravera-gui

CLI - Embedding

# Basic embed (metadata + AudioSeal watermark)
obravera embed recording.wav --credential credential.json -o authenticated.wav

# With C2PA support (requires certificate)
obravera embed recording.wav --credential credential.json --c2pa \
  --cert studio_cert.pem --key studio_key.pem -o authenticated.wav

CLI - Verification

# Basic verification
obravera verify authenticated.wav

# With diagnostic mode (detailed failure analysis)
obravera verify processed.mp3 --diagnostic

# With parallel processing (faster)
obravera verify large_file.wav --parallel

# With live progress updates
obravera verify large_file.wav --progress

# Full verification with signature check
obravera verify authenticated.wav --public-key studio_public_key.pem -v

CLI Reference

Commands

obravera embed

Embed a signed credential into an audio file.

obravera embed <audio_file> --credential <credential.json> [options]

Options:
  --credential PATH    Path to credential JSON file (required)
  -o, --output PATH    Output file path (default: overwrites input)
  --watermark METHOD   Watermark method: none, audioseal, audiowmark (default: audioseal)
  --c2pa              Enable C2PA manifest embedding (requires --cert and --key)
  --cert PATH         Path to C2PA signing certificate
  --key PATH          Path to C2PA signing key
  --help              Show this message and exit

Examples:
  # Standard embed with AudioSeal watermark
  obravera embed audio.wav --credential cred.json -o output.wav

  # Embed with C2PA compliance
  obravera embed audio.wav --credential cred.json --c2pa \
    --cert cert.pem --key key.pem -o output.wav

  # Metadata only (no watermark)
  obravera embed audio.wav --credential cred.json --watermark none

obravera verify

Verify the credential embedded in an audio file.

obravera verify <audio_file> [options]

Options:
  --public-key PATH    Path to public key PEM file for signature verification
  -v, --verbose       Show detailed verification information
  -d, --diagnostic    Show detailed diagnostic information including failure analysis
  -p, --parallel      Use parallel processing for faster verification (experimental)
  --progress          Show real-time progress updates during verification
  --no-cache          Disable result caching (force fresh verification)
  --cache-ttl SECONDS Cache time-to-live in seconds (default: 300)
  --help              Show this message and exit

Examples:
  # Basic verification
  obravera verify audio.wav

  # With diagnostic mode (shows corruption analysis, recovery suggestions)
  obravera verify audio.wav --diagnostic

  # Faster verification with parallel processing
  obravera verify audio.wav --parallel

  # With live progress updates
  obravera verify audio.wav --progress

  # Full verification with signature check
  obravera verify audio.wav --public-key studio_key.pem -v

obravera extract

Extract the credential from an audio file.

obravera extract <audio_file> [options]

Options:
  -o, --output PATH    Output JSON file (default: prints to stdout)
  --help              Show this message and exit

Examples:
  # Print credential to terminal
  obravera extract audio.wav

  # Save to file
  obravera extract audio.wav -o credential.json

obravera cache

Manage verification result cache.

obravera cache <command> [options]

Commands:
  stats              Show cache statistics
  clear              Clear all or aged cache entries
  prune              Remove expired cache entries

Examples:
  # View cache statistics
  obravera cache stats

  # Clear all cache entries
  obravera cache clear

  # Clear entries older than 10 minutes
  obravera cache clear --max-age 600

  # Remove expired entries
  obravera cache prune --ttl 300

Authentication Layers Explained

Layer 1: Custom Metadata

  • Format: ID3v2 (MP3), RIFF INFO (WAV)
  • Content: Full credential with all fields
  • Robustness: Survives file copying, basic operations
  • Vulnerability: Stripped by metadata cleaners, some platforms

Layer 2: C2PA Manifest (Optional)

  • Format: JUMBF structure in RIFF or ID3 tags
  • Content: Industry-standard provenance data
  • Robustness: Same as custom metadata (both are metadata)
  • Value: Adobe/Microsoft tool compatibility, enterprise compliance
  • Note: Provides compliance, not additional technical resilience

Layer 3: AudioSeal Watermark with Error Correction

  • Format: Perceptual watermark in audio waveform
  • Content: 12-bit credential ID hash + 4-bit error correction code
  • Error Correction: Can detect up to 2-bit errors, correct 1-bit errors
  • Robustness: Survives format conversion, editing, most transcoding
  • Improved Resistance: ECC helps recover from single-bit errors caused by processing
  • Recovery: Watermark registry lookup by payload
  • Best For: Primary authentication mechanism with enhanced resilience

Layer 4: Chromaprint Fingerprint

  • Format: Acoustic fingerprint hash
  • Content: Perceptual hash of audio content
  • Robustness: Survives format conversion
  • Purpose: Tampering detection (detects if audio was modified)
  • Limitation: Changes with any audio editing

Layer 5: Ed25519 Signature

  • Format: Cryptographic signature
  • Content: Signs entire credential
  • Purpose: Proves studio signed the credential
  • Verification: Requires studio's public key

Layer 6: Registry Recovery

  • Mechanism: Local SQLite database indexed by watermark payload
  • Purpose: Recover full credential when all metadata is stripped
  • Robustness: Works as long as watermark survives
  • Performance: LRU cached lookups (<100ms)

Error Correction Codes (ECC)

What is ECC?

Error Correction Codes add redundancy to watermarks, enabling detection and correction of bit errors caused by audio processing. ObraVera uses a (16,12) Hamming-like code:

  • 12 bits: Credential ID data
  • 4 bits: Parity/error correction
  • Capabilities:
    • Detect up to 2-bit errors
    • Correct single-bit errors automatically
    • Fail safely on uncorrectable multi-bit errors

Why ECC Matters

AudioSeal watermarks can be corrupted by:

  • Loudness normalization (-14 LUFS standard on YouTube, Spotify)
  • Lossy transcoding (MP3, AAC compression)
  • Audio editing (EQ, dynamics processing)
  • Platform processing (automatic audio enhancements)

ECC significantly improves resilience against these single-bit errors, increasing successful verification rates even after aggressive processing.

How It Works

Embedding:

  1. Credential ID is hashed to 12 bits
  2. 4 parity bits are computed
  3. Combined 16-bit watermark is embedded in audio

Extraction:

  1. 16-bit watermark is extracted from audio
  2. Parity bits checked for errors
  3. Single-bit errors automatically corrected
  4. 12-bit data returned for verification

Example:

# Original watermark: 0xE2A1 (binary: 1110 0010 1010 0001)
# After normalization: 0xE0A1 (binary: 1110 0000 1010 0001)
# ↑ Bit 9 flipped from 1 to 0

# Without ECC: Verification fails (different payload)
# With ECC: Error detected at bit 9, automatically corrected ✓

Validation Results

Real-world testing against -14 LUFS loudness normalization (YouTube/Spotify standard):

  • 100% success rate - watermarks survive normalization with alpha=1.2 tuning
  • ✅ Single-bit error correction working as designed
  • ✅ Significantly better than legacy watermarks (0% success without ECC)
  • ✅ Alpha parameter tuning (January 2026): 80% → 100% improvement
  • ✅ Tested with diverse audio content (music, voice, tones)
  • ✅ Production-ready for streaming platform deployment

ECC Status

  • Enabled by default: All new embeds use ECC
  • Backward compatible: Can still verify legacy non-ECC watermarks
  • Transparent: No user action required, works automatically

Verification Results Interpretation

✓ Credential is valid

All authentication layers passed:

  • Metadata found (custom or C2PA recovered)
  • Signature valid (if public key provided)
  • Fingerprint matches (audio unmodified)
  • Watermark valid (if checked)

✗ Credential verification failed - With Recovery

Metadata stripped but authenticated via watermark recovery

  • Custom metadata was removed
  • C2PA manifest not found or invalid
  • But watermark survived and registry found credential
  • This is still valid authentication!

✗ Credential verification failed - Corruption Detected

Watermark corrupted (severe processing)

  • Watermark detected but payload doesn't match expected
  • Diagnostic mode shows bit differences and flipped positions
  • Likely cause: Severe audio processing beyond standard platform normalization
  • Note: Standard loudness normalization (-14 LUFS) is handled with 100% success
  • Rare edge case: extreme compression, heavy editing, or non-standard processing

✗ Credential verification failed - No Recovery Possible

All metadata stripped and watermark not recoverable

  • No custom metadata, no C2PA manifest
  • Watermark not detected or not in registry
  • File may have been embedded before registry was enabled
  • Or watermark destroyed by heavy processing

Diagnostic Mode Features

Use --diagnostic flag for detailed failure analysis:

obravera verify audio.wav --diagnostic

Diagnostic Output Includes:

  • Watermark Corruption Analysis

    • Expected vs actual payload (binary representation)
    • Number of bit differences
    • Flipped bit positions
    • Likely cause (loudness normalization, audio processing, severe corruption)

  • Recovery Suggestions

    • Context-aware guidance based on failure mode
    • Steps to obtain uncorrupted version
    • Alternative authentication methods

  • Detailed Metrics

    • Detected watermark payload
    • Current fingerprint hash
    • Recovery mode (C2PA, watermark registry)
    • Authentication method used

C2PA Integration

When to Use C2PA

Use C2PA if you need:

  • Adobe Content Credentials tool compatibility
  • Microsoft Authenticator support
  • Enterprise procurement requirements ("C2PA compliant")
  • BBC/Reuters/AP news organization workflows
  • Legal/regulatory requirements

Don't use C2PA if:

  • You only need technical resilience (AudioSeal provides this)
  • You want to avoid certificate costs ($20-$400/year)
  • You're an independent artist/small studio
  • You don't need third-party tool compatibility

C2PA Limitations

What C2PA Does NOT provide:

  • ❌ Better format conversion survival (same as custom metadata)
  • ❌ Additional resilience to metadata stripping
  • ❌ Watermark-like survival in audio waveform
  • ❌ Better performance or speed

What C2PA DOES provide:

  • ✓ Industry standard compliance
  • ✓ Third-party verification tool support
  • ✓ Adobe/Microsoft ecosystem compatibility
  • ✓ "C2PA Compliant" badge for enterprise

Setting Up C2PA

See C2PA-INTEGRATION.md for:

  • Certificate authority options
  • Self-signed certificate creation (testing only)
  • Certificate management
  • Cost analysis

Project Structure

obravera-audio/
├── pyproject.toml                    # Project configuration
├── README.md                         # This file
├── AUDIOSEAL-OPTIMIZATION-PLAN.md   # Performance optimization roadmap
├── C2PA-SPOT-CHECK-FINDINGS.md      # C2PA technical analysis
├── BRIEFING.md                      # Strategic briefing document
│
├── src/obravera_audio/              # Python package
│   ├── __init__.py
│   ├── cli.py                       # Command-line interface
│   ├── verify.py                    # Sequential verification
│   ├── verify_parallel.py           # Parallel verification
│   ├── exceptions.py                # Error handling with diagnostics
│   ├── registry.py                  # Credential registry with caching
│   │
│   ├── gui/                         # PyQt6 desktop application
│   │   ├── __main__.py
│   │   ├── app.py
│   │   ├── embed_tab.py
│   │   └── verify_tab.py
│   │
│   ├── metadata/                    # Metadata handlers
│   │   ├── embed.py                 # MP3/WAV metadata
│   │   └── models.py                # Credential v1.1 model
│   │
│   ├── crypto/                      # Cryptography
│   │   └── signing.py               # Ed25519 signing/verification
│   │
│   ├── fingerprint/                 # Audio fingerprinting
│   │   └── chromaprint.py           # Chromaprint integration
│   │
│   ├── watermark/                   # Watermarking engines
│   │   ├── audioseal.py             # AudioSeal (16-bit)
│   │   └── audiowmark.py            # audiowmark (128-bit, optional)
│   │
│   ├── c2pa/                        # C2PA support (optional)
│   │   └── manifest.py              # C2PA manifest handling
│   │
│   └── config/                      # Configuration
│       └── settings.py              # Data directory management
│
├── tests/                           # Test suite
│   ├── test_metadata.py
│   ├── test_verify.py
│   └── fixtures/                    # Test audio files
│
└── examples/                        # Example files and test results
    ├── original/                    # Source audio files
    └── spot-check-results/          # C2PA comparison tests

Performance Characteristics

The Data Below is Subject to Change as Comprehensive Testing is Stll Ongoing

Verification Speed

  • Sequential: ~10-15 seconds for full verification
  • Parallel: ~5-8 seconds (2-3x speedup with --parallel flag)
  • Cached Results: ~0.2 seconds (13x faster with --cache)
  • Cached Lookup: <100ms for registry-based recovery
  • Progressive: ~20% overhead for real-time progress updates

Registry Performance

  • Lookup Speed: <100ms cached, <10ms for subsequent lookups
  • Cache Size: 1000 entries (LRU)
  • Backup Frequency: Automatic on every save
  • Backup Retention: Last 10 backups
  • Integrity Check: Automatic on load with auto-restore

Watermark Survival Rates

Based on extensive testing (see test_runner.py results):

  • Format Conversion (MP3, FLAC, OGG, AAC): ~80-90% survival
  • Audio Editing (trim, fade, normalize): ~70-80% survival
  • Loudness Normalization (-14 LUFS): ❌ Known failure (corrupts payload)
  • Metadata Stripping: ✓ Watermark survives, registry recovers credential

Development

Setup Development Environment

# Clone repository
git clone https://github.com/yourusername/obravera-audio.git
cd obravera-audio

# Install with dev dependencies
uv pip install -e ".[dev]"

# Install pre-commit hooks
pre-commit install

# Run tests
pytest -v

# Type checking
mypy src/

# Linting
ruff check src/ tests/
ruff format src/ tests/

Running Tests

# All tests
pytest -v

# With coverage
pytest --cov=obravera_audio --cov-report=html

# Specific test categories
pytest tests/test_verify.py -v
pytest tests/test_metadata.py -v

# Test runner for format conversion tests
python test_runner.py

# Edge case testing suite
python test_edge_cases.py

# ECC validation test (loudness normalization)
python test_ecc_validation.py

# Alpha tuning validation (optimal watermark strength)
python test_alpha_tuning_real_audio.py

# Stress testing suite (production load)
python test_stress.py

Test Coverage

Alpha Tuning Tests (January 15, 2026):

  • 100% success rate against -14 LUFS loudness normalization with alpha=1.2
  • ✅ Tested 5 alpha values (1.0, 1.2, 1.5, 1.8, 2.0) with real audio
  • ✅ Alpha 1.2 optimal: perfect robustness, minimal audibility impact
  • ✅ Improvement: 80% → 100% (+20 percentage points)
  • ✅ Production-ready for YouTube, Spotify, and all streaming platforms
  • See: ALPHA-TUNING-REPORT.md

Stress Tests (January 13, 2026):

  • 100% success rate across 4 production load scenarios
  • ✅ Concurrent operations: 101.5 embeds/sec, 118.8 verifies/sec
  • ✅ Large files (60 min): 0.27s embed, 0.08s verify
  • ✅ Registry scale (10k entries): 0.013ms lookup time
  • Production-ready with exceptional performance

Edge Case Tests (January 13, 2026):

  • 80% success rate across 10 edge case scenarios
  • ✅ Sample rates: 8kHz - 192kHz (all supported)
  • ✅ Multi-channel: Stereo and quad (full support)
  • ✅ Invalid files: Gracefully rejected (empty, corrupted)
  • Production-ready with excellent robustness

ECC Validation (January 12, 2026):

  • Baseline 80% success rate with ECC alone
  • Enhanced to 100% with alpha=1.2 tuning (January 15, 2026)
  • ✅ Tested with YouTube/Spotify processing standards
  • ✅ Single-bit error correction + optimized watermark strength

Format Conversions (Test Runner):

  • 80% success rate across MP3, FLAC, OGG, Opus
  • Metadata and watermark recovery validated

Requirements

Python Dependencies (Minimal)

  • mutagen - Audio metadata manipulation
  • click - CLI framework
  • rich - Terminal formatting
  • pydantic - Data validation
  • cryptography - Ed25519 signing

Python Dependencies (Full)

  • pyacoustid - Chromaprint fingerprinting
  • torch - AudioSeal deep learning
  • audioseal - Watermarking library
  • PyQt6 - Desktop GUI
  • c2pa-python (optional) - C2PA support

System Dependencies

  • fpcalc (chromaprint) - Audio fingerprinting

    # macOS
brew install chromaprint

# Ubuntu/Debian
sudo apt-get install libchromaprint-tools

  • ffmpeg (optional) - Format conversion for testing

  # macOS
  brew install ffmpeg

  # Ubuntu/Debian
  sudo apt-get install ffmpeg

Documentation

Known Limitations

Watermark Survival

  • Single-Bit Errors: ✅ NOW CORRECTABLE - Error correction codes (ECC) automatically fix single-bit corruptions
  • Multiple-Bit Errors: Severe processing causing 2+ bit flips may still fail verification
  • Heavy Compression: Extreme bitrate reduction may corrupt watermark beyond ECC recovery
  • Improved Resilience: ECC significantly increases survival rates for typical platform processing

C2PA Limitations

  • C2PA manifests are metadata and strip like any other metadata
  • No technical advantage over custom metadata for resilience
  • Value is in industry compliance, not format conversion survival

Format Support

  • AAC/M4A: Cannot verify .m4a files directly (use AAC roundtrip)
  • Exotic Formats: Untested on very unusual sample rates or channel configurations

Roadmap

Completed

  • ✅ Multi-layer authentication architecture
  • ✅ AudioSeal watermarking integration
  • ✅ Registry-based credential recovery
  • ✅ C2PA industry standard support
  • ✅ Diagnostic mode with detailed error analysis
  • ✅ Parallel verification for performance
  • ✅ Registry caching and backups
  • ✅ PyQt6 desktop GUI
  • ✅ Result caching for repeated verifications
  • ✅ Progressive results display
  • ✅ Error correction codes (ECC) for watermark robustness
  • Alpha parameter tuning - 100% loudness normalization resistance

Planned

  • 📋 Cloud registry preparation (for production scaling)
  • 📋 Platform-specific test suite (YouTube, Spotify uploads)
  • 📋 Batch processing optimizations
  • 📋 Multiple watermark strategy (optional - 100% already achieved)

See AUDIOSEAL-OPTIMIZATION-PLAN.md for detailed priorities.

Privacy & Security

Desktop GUI

  • Local Processing: All audio processing happens on your machine
  • No Network Calls: Audio files never leave your computer
  • Secure Storage: Keys and credentials stored locally

Code Quality & Standards

PEP 8 Compliance

This project follows PEP 8 style guidelines:

  • Line Length: Maximum 88 characters (Black / Ruff)
  • Formatting: Enforced via ruff format
  • Linting: Checked with ruff check

Automated Enforcement

Code quality is enforced at multiple levels:

Pre-commit Hooks (prevents bad commits):

pip install pre-commit
pre-commit install

Hooks automatically run before each commit:

  • Ruff linter with auto-fix
  • Ruff formatter
  • Mypy type checking
  • Trailing whitespace removal
  • YAML validation
  • Large file detection

CI/CD Pipeline (prevents bad merges):

  • GitHub Actions runs on all PRs
  • Checks: linting, formatting, type checking, tests
  • Must pass before merge allowed

Manual Commands:

# Check code quality
ruff check .

# Auto-format code
ruff format .

# Type check
mypy src/obravera_audio

# Run all quality checks
pre-commit run --all-files

Current Status

See PEP8-COMPLIANCE-TODO.md for progress on PEP 8 compliance.

CLI Tool

  • Local Processing: All operations are local
  • No Telemetry: No usage data collected
  • Minimal API: Only for credential signing (optional)

Data Handling

  • No Audio Storage: Audio files are never uploaded
  • Temporary Files: Cleaned up automatically
  • Registry Privacy: Local SQLite database, not shared

Contributing

Contributions not yet open

License

TBD

Contact

TBD

Status: Active development. Multi-layer authentication with C2PA support fully functional. Performance optimizations ongoing.

About

Advanced audio authentication system that embeds cryptographically signed credentials into audio files with multi-layer verification

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors