I have zero trust in the average dev managing signing keys properly