Update README stating specific requirements for SIGNING_KEY (#1217)

Makes clear it must be an EC key and also that it must be present in the authentication service, if run separately.
2025-05-28 16:37:24 +02:00 · 2020-08-05 15:47:31 -06:00 · 2020-08-05 15:47:31 -06:00 · 9af93ff090
commit 9af93ff090
parent 6e26bd204a
1 changed files with 5 additions and 2 deletions
--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -1197,9 +1197,11 @@ If unspecified:
 - Type: [base64 encoded] `string`
 - Optional

-Signing Key is the key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
+Signing Key is the [Elliptic Curve] private key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.

-If set, the signing key's public key will can retrieved by hitting Pomerium's `/.well-known/pomerium/jwks.json` endpoint which lives on the authenticate service. For example:
+If set, the signing key's public key will can retrieved by hitting Pomerium's `/.well-known/pomerium/jwks.json` endpoint which lives on the authenticate service. (If running the authentication service separately, this option must also be set there.)
+
+For example:

 ```bash
 $ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
@ -1233,3 +1235,4 @@ If no certificate is specified, one will be generated and the base64'd public ke
 [signed headers]: ./signed-headers.md
 [toml]: https://en.wikipedia.org/wiki/TOML
 [yaml]: https://en.wikipedia.org/wiki/YAML
+[Elliptic Curve]: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations#Generating_EC_Keys_and_Parameters