fix: error with validation results on invalid manifest after verify after sign

[ok-nick]

Fixes verify after sign so that it builds up the validation results and returns them in an err if deemed an invalid manifest. Additionally, skip verifying hashes when signing only c2pa manifests (no asset).

Should it be enabled by default? There is a performance implication. Perhaps validation should be enabled by default and hash verification disabled?

• Closes Fix verify_after_sign setting #1875
• Closes Signing an update manifest with format application/c2pa will attempt to validate hash bindings #1704

[codspeed-hq]

Merging this PR will improve performance by 29.65%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 3 improved benchmarks
✅ 27 untouched benchmarks
⏩ 64 skipped benchmarks¹

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Simulation	large-cbor-assertion/read	69.6 ms	50.6 ms	+37.57%
⚡	Simulation	wide-ingredients/read	248.8 ms	221.4 ms	+12.41%
⚡	Simulation	large-json-assertion/read	65.4 ms	46.4 ms	+40.93%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing ok-nick/verify-after-sign (a5cd586) with main (9fb5ef4)}

Footnotes

1. 64 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩