Unexpectedly added version property to extraIdentity

[8R0WNI3]

What happened:
When executing ocm sign componentversions on a component descriptor which contains multiple resources which share the same name and have extraIdentity explicitly set to {}, all resources have the version property added to the extraIdentity field except the last resource of that name (which is reasonable since the last resource is unique without extraIdentity being set as soon as all other resources have their version property added to it).

What you expected to happen:
Don't silently add properties to the extraIdentity field during ocm sign command (and certainly not inconsistently). Instead, rather fail verification.

How to reproduce it (as minimally and precisely as possible):
Example component descriptor which has to be signed using ocm sign componentversions command:

component:
  componentReferences: []
  name: example.org/my-component
  provider: ACME Inc.
  repositoryContexts: []
  resources:
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.1 # must be different for the resources sharing the same name
  - access:
      imageReference: hello-world
      type: ociArtifact
    extraIdentity: {} # must not be omitted to reproduce behaviour
    name: my-resource # must be part of the component multiple times
    relation: external
    type: ociImage
    version: 0.1.2 # must be different for the resources sharing the same name
  sources: []
  version: 1.0.0
meta:
  schemaVersion: v2
signatures: []

Anything else we need to know:

Environment:

[ccwienk]

Instead, rather fail verification

generally +1. However, I would personally prefer the sign command to at most emit a warning (which may be escalated to an error) upon validation error. At least, please offer a flag to ignore validation errors (motivation being identical to #755 (there should always be an override option for emergencies)

[8R0WNI3]

The problem can still be reproduced in case the extraIdentity property of the to-be-signed component descriptor's resources is explicitly set to an empty object {} (in contrast to omitting the property or setting it to null).

[mandelsoft]

Some months ago, there was a decision to get rid of this stangfe version defaulting for the extra identity.

So all new coding should create appropriate extraIdentity version fields if required to make the identity unique.

Unfortunately, there is a bug in the OCM library, which did this only if there is at least a non-nil extraIdentity map.

I'll fix this, and introduce this defaulting only in scenarios, where a component version is created/modified.
In any case, it MUST be avoided to do such a defaulting for existing component versions, especially if they are already signed,
because the extra identity field are part of the signature. We have missed to define the normalized CD format to always include
a complete logical extraIdentity. This cannot be changed to not invalidate existing signatures.

[mandelsoft]

@8R0WNI3 , could you please check #1026

[morri-son]

fixed with #1026