fix: signingKey should not be part of the computed hash (#696)

In some flows it appears that `signingKey` is set and then serialized to `null` and messes up the signature.

Author: mkleene

lib/tdf3/src/assertions.ts

@@ -43,7 +43,9 @@ export type AssertionPayload = {
  * @returns the hexadecimal string representation of the hash
  */
 export async function hash(a: Assertion): Promise<string> {
-  const result = canonicalizeEx(a, { exclude: ['binding', 'hash', 'sign', 'verify'] });
+  const result = canonicalizeEx(a, {
+    exclude: ['binding', 'hash', 'sign', 'verify', 'signingKey'],
+  });
 
   const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(result));
   return hex.encodeArrayBuffer(hash);

lib/tests/mocha/unit/assertions.spec.ts

@@ -21,5 +21,34 @@ describe('assertions', () => {
         })
       ).to.be.true;
     });
+
+    it('normalizes assertions', async () => {
+      let assertion: any = {
+        appliesToState: 'unencrypted',
+        id: 'system-metadata',
+        binding: {
+          method: 'jws',
+          signature: 'test-signature',
+        },
+        signingKey: {
+          alg: 'ES256',
+          key: new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10]),
+        },
+        scope: 'payload',
+        statement: {
+          format: 'json',
+          schema: 'system-metadata-v1',
+          value:
+            '{"tdf_spec_version":"4.3.0","creation_date":"2025-07-23T09:25:51.255364+02:00","operating_system":"Mac OS X","sdk_version":"Java-0.8.2-SNAPSHOT","java_version":"17.0.14","architecture":"aarch64"}',
+        },
+        type: 'other',
+      };
+
+      let h1 = await assertions.hash(assertion);
+      delete assertion.signingKey;
+      let h2 = await assertions.hash(assertion);
+
+      expect(h1).to.equal(h2);
+    });
   });
 });