fix: error with validation results on invalid manifest after verify after sign

[ok-nick]

Fixes verify after sign so that it builds up the validation results and returns them in an err if deemed an invalid manifest. It also adds the verify after sign check to the other signing paths, including the embeddable APIs.

The PR introduces a new ValidationFailureSummary so that on error, it will display a concise summary of what failures, on what ingredients occurred. This can also be obtained via ValidationResults::failure_summary for the general case. ValidationResults also now impls Display with a more user-friendly interface.

Also adds a new setting verify_after_sign_hash which rehashes the asset and validates against the hard binding assertion stored. By default this setting is false due to the performance implications. I'm keeping verify_after_sign default to false for now, let's get the fix out first.

• Closes Fix verify_after_sign setting #1875
• Closes Signing an update manifest with format application/c2pa will attempt to validate hash bindings #1704

[codspeed-hq]

Merging this PR will improve performance by 25.45%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 29 untouched benchmarks
⏩ 64 skipped benchmarks¹

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Memory	update-manifests/read	5.6 MB	4.5 MB	+25.45%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing ok-nick/verify-after-sign (21488ba) with main (a48f1cc)}

Footnotes

1. 64 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[ok-nick]

I kept verify_after_sign disabled for now (as it was already). Let's get the fix out before we change the default.

[gpeacock]

This isn't a fix, this is an entirely new way of reporting errors.
I can see how we may want to validate the manifest when we have no asset, but that should report an invalid hash if the manifest is associated with an asset ( and it should always be, except for archives.

[mauricefisher64]

How is this used? Should callers never call verify_store directly? Could this have just been done in verify_store?