Signature payload cleartext generation deviates from spec

[cohix]

The signing spec says: The signature is computed by concatenating the following pieces of data together in a line-separated (\n) UTF-8 string: by, name, version, role, at and the label.sha256 of each parcel:

However the Bindle server does not include the at value when generating its version of the payload, and so a client who follows the spec creates a signature that is invalid in the eyes of the server.

[thomastaylor312]

Good catch on this. We'll fix it soon