What happened?

Hey, I'm working on adding /prov endpoint for gitea helm registry and I have issues decoding the chart.yaml part of the prov file.
From docs I understand that the chart.yaml should be included in prov file, with additional metadata separated by ...\n, but this appears not to match the output as the keywords and sources appear to be double nested.

In fact if I take the chart.yaml part from the prov file and replace the original one, I can't sign it in the first place since it cannot be unmarshled.

What did you expect to happen?

chart.yaml in prov file should match one in the package and be valid.

How can we reproduce it (as minimally and precisely as possible)?

1. Take the example hello world chart https://github.com/helm/examples
2. Modify the Chart.yaml to include a list:

apiVersion: v2
name: hello-world
description: A Helm chart for Kubernetes
keywords:
  - foo
sources:
  - bar
type: application
version: 0.1.0
appVersion: "1.16.0"

3. package the chart helm package --sign hello-world/ --key yourkey --keyring yourkeyring
4. Inspect prov file and note the keywords and sources sections:

apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for Kubernetes
keywords:
- - foo
name: hello-world
sources:
- - bar
type: application
version: 0.1.0

You can replace original chart.yaml with this contents to verify it does not parse.

Helm version

$ helm version
version.BuildInfo{Version:"v4.1.1", GitCommit:"5caf0044d4ef3d62a955440272999e139aafbbed", GitTreeState:"", GoVersion:"go1.25.7 X:nodwarf5", KubeClientVersion:"v1.35"}

Kubernetes version

none