Hello,
When you use 'mage' to sign a manifest file, two hash signatures are created because the manifest file contains two different types of content: the manifest itself and the files that it references. The first hash signature is created for the manifest file itself, while the second hash signature is created for the referenced files. This is done to ensure the integrity of both the manifest file and the referenced files, and to prevent any tampering with the contents of the manifest or the referenced files.
Best Regards,
Hania Lian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.