Signing again a file does not clear previous XMP data, especially remote manifest URL

[tmathern]

Demo is in https://github.com/contentauth/c2pa-rs/pull/1531, run from folder c2pa_c_ffi using cargo test --features "rust_native_crypto,file_io" test_sign_again_with_info -- --nocapture to see all logs.

I have signed a file using ACA (https://contentauthenticity.adobe.com/) because ACA adds both embedded and remote manifests in a file. When I use that file and I want to sign it again, signing works, a Reader claims there is no remote manifest, but I still see a remote manifest URL in the XMP metadata.

For instance, the screenshot below is for a file I signed with embedded manifest only. I would expect therefore there is no trace of a cloud manifest URL in the XMP metadata. But looking at the file with exiftool, exiftool displays some leftover (I assume leftover?) data:

Please clarify is this is either a bug, or some steps when signing again are missing.

ps: In this case, I would not expect to need to explicit call to set a remote URL back to null or a placeholder (especially since currently we defend against that in the C interface and other SDKs)?

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/CAI-10451 is successfully created for this GitHub issue.