Publishing a signed manifest is a two step process. This process leaves the package intact, including its time stamp.
Publish the package unsigned to a repository.
Update the package in place, using the pkgsign command to append a signature action to the manifest in the repository.
This process enables a signature action to be added by someone other than the publisher without invalidating the original publisher's signature. For example, the QA department of a company might want to sign all packages that are installed internally to indicate they have been approved for use, but not republish the packages, since republishing would create a new time stamp and invalidate the signature of the original publisher.
Note that using the pkgsign command is the only way to publish a signed package. If you publish a package that already contains a signature, that signature is removed and a warning is emitted. The pkgsign(1) man page contains examples of how to use the pkgsign command.
Signature actions with variants are ignored. Therefore, performing a pkgmerge on a pair of manifests invalidates any signatures that were previously applied.