Signing an update manifest with format `application/c2pa` will attempt to validate hash bindings

[ok-nick]

When signing an update manifest with an empty vec as the input and output stream, with the intention being to get only C2PA bytes, the SDK will try verifying any ingredient's hash bindings. Since the original ingredient bytes are gone, this will always fail with "Hashes do not match."

A solution is to ignore the Claim::verify_hash_bindings call when the format is application/c2pa. However, the builder will write the c2pa bytes to the output stream and return it as a vec, which is redundant. This can be combatted by specifying io::empty() as the output stream, although this is not an elegant solution. Another option is to have a method to sign an update manifest with no input or output stream, and it would return only a C2PA manifest.

Example of where the problem occurs:

let mut builder = Builder::new();
builder.set_intent(BuilderIntent::Update);

builder.add_ingredient_from_stream(
    json!({
        "relationship": "parentOf"
    })
    .to_string(),
    "image/jpeg",
    "some/file.jpg"
).unwrap();

builder.sign(
    &Settings::signer()?,
    "application/c2pa",
    &mut Cursor::new(Vec::new()),
    &mut Cursor::new(Vec::new()),
}.unwrap();

This is a "fix" to the problem since we don't verify stores where the stream length is 0 (since io::empty() never writes). However, we should still be verifying the store in this case, which is another problem.

builder.sign(
    &Settings::signer()?,
    "application/c2pa",
    &mut io::empty(),
    &mut io::empty(),
}.unwrap();

Context: https://github.com/contentauth/c2pa-rs/pull/1638/changes#r2620856635

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/CAI-10611 is successfully created for this GitHub issue.