diff --git a/internal/controlplane/http.go b/internal/controlplane/http.go
index 90c693509..85ce1b4a0 100644
--- a/internal/controlplane/http.go
+++ b/internal/controlplane/http.go
@@ -53,7 +53,7 @@ func (srv *Server) mountCommonEndpoints(root *mux.Router, cfg *config.Config) er
 		return fmt.Errorf("invalid authenticate URL: %w", err)
 	}
 
-	rawSigningKey, err := cfg.Options.GetSigningKey()
+	signingKey, err := cfg.Options.GetSigningKey()
 	if err != nil {
 		return fmt.Errorf("invalid signing key: %w", err)
 	}
@@ -68,6 +68,6 @@ func (srv *Server) mountCommonEndpoints(root *mux.Router, cfg *config.Config) er
 	root.HandleFunc("/ping", handlers.HealthCheck)
 	root.Handle("/.well-known/pomerium", handlers.WellKnownPomerium(authenticateURL))
 	root.Handle("/.well-known/pomerium/", handlers.WellKnownPomerium(authenticateURL))
-	root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(handlers.JWKSHandler(rawSigningKey, hpkePublicKey))
+	root.Path("/.well-known/pomerium/jwks.json").Methods(http.MethodGet).Handler(handlers.JWKSHandler(signingKey, hpkePublicKey))
 	return nil
 }
diff --git a/pkg/cryptutil/jose.go b/pkg/cryptutil/jose.go
index 940954fde..3334050d7 100644
--- a/pkg/cryptutil/jose.go
+++ b/pkg/cryptutil/jose.go
@@ -78,18 +78,19 @@ func loadKeys(data []byte, unmarshal func([]byte) (any, error)) ([]*jose.JSONWeb
 func loadPrivateKey(b []byte) (interface{}, error) {
 	var wrappedErr error
 	var err error
+	var key any
 
-	if key, err := x509.ParseECPrivateKey(b); err == nil {
+	if key, err = x509.ParseECPrivateKey(b); err == nil {
 		return key, nil
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)
 
-	if key, err := x509.ParsePKCS1PrivateKey(b); err == nil {
+	if key, err = x509.ParsePKCS1PrivateKey(b); err == nil {
 		return key, nil
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)
 
-	if key, err := x509.ParsePKCS8PrivateKey(b); err == nil {
+	if key, err = x509.ParsePKCS8PrivateKey(b); err == nil {
 		return key, nil
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)
@@ -101,8 +102,9 @@ func loadPrivateKey(b []byte) (interface{}, error) {
 func loadPublicKey(b []byte) (interface{}, error) {
 	var wrappedErr error
 	var err error
+	var key any
 
-	if key, err := loadPrivateKey(b); err == nil {
+	if key, err = loadPrivateKey(b); err == nil {
 		switch k := key.(type) {
 		case *rsa.PrivateKey:
 			return k.Public(), nil
@@ -114,12 +116,12 @@ func loadPublicKey(b []byte) (interface{}, error) {
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)
 
-	if key, err := x509.ParsePKIXPublicKey(b); err == nil {
+	if key, err = x509.ParsePKIXPublicKey(b); err == nil {
 		return key, nil
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)
 
-	if key, err := x509.ParseCertificate(b); err == nil {
+	if key, err = x509.ParseCertificate(b); err == nil {
 		return key, nil
 	}
 	wrappedErr = multierror.Append(wrappedErr, err)