Generate claims' instanceID field

[UlrichEckhardt]

From the C2PA spec:

If the asset contains XMP, then the asset’s xmpMM:InstanceID should be used as the instanceID. When no XMP is available, then some other unique identifier for the asset shall be used as the value for instanceID.

• We need some kind of identifier for the asset, to use as instanceID. I'm not sure what the requirements are, apart from being unique. Perhaps a hash would work or perhaps a path serving as URI within the file.
• For the case of XMP assets, we should extract that.
• What does c2pa-rs do?

[UlrichEckhardt]

Just some notes here:

• There are typically two instanceID fields, one in the claim, one in an ingredient assertion. Both of them refer to the same asset, so we need to make sure they are the same when creating manifests. However, in newer versions of the spec, the instance ID in the ingredient assertion is optional.
• When the asset embeds XMP, the value should be taken from there. Also, a metadata assertion with that value is required.
• Without XMP, there are other IDs. Most likely, we should use a hash for now, as laid out in the spec. Using an externally generated/managed identifier seems to be overkill at the moment.

Concerning c2pa-rs:
Here, when reading a stream, the XMP instance ID is used if available. Otherwise, a UUID is generated, i.e. a random value is used. This seems to be in conflict with the C2PA spec.

[cyraxx]

Reading from XMP would be easy with a library such as ExifReader but that would mean reading the asset twice and I'd also like to avoid bringing such a big dependency in. Parsing it directly from the asset might be feasible, I haven't looked into how XMP is stored in the various asset formats.
At the current stage I'd be fine with simply supplying the instance ID as a parameter by the caller.