|
|
|
|
|
|
by steventhedev
87 days ago
|
|
|
The entire point of this is that the complexity is encapsulated on the signing side - not the verifier. So it's more that you would split the keys between systems you control - say the reverse proxy and the application server. Or one that's checked into your version control (representing that it is your company's code that's running) and one that lives on the server (representing that it is a server your company controls). Or to take your example - a key in the repo, a key from the dev, and a key from the build server. |
|
|