Sign a Card with an additional keyThis guide shows how to sign a Card with an additional private key for providing your digital solution with the highest level of security.When you care about your security, you shouldn't trust anyone. Thus, to be sure that a user's Card wasn't replaced with another one, you have to add an additional signature into a Card.Before publishing a user's Card on Virgil Cards Service, we recommend that you sign a Card with an additional private key, for example, the private key of your Application Server. Remember, you cannot change a Card's content after it's published. Generate a Private KeyYou can generate a private key for your server and save it in a secure key storage with the following code: // generate a key pair keypair, err := crypto.GenerateKeypair() if err != nil { //handle error } // export private and public key privateKeyData, err := crypto.ExportPrivateKey(keypair.PrivateKey(), "") if err != nil { //handle error } publicKeyData, err := crypto.ExportPublicKey(keypair.PublicKey()) if err != nil { //handle error } // Save it securely privateKeyStr := base64.StdEncoding.EncodeToString(privateKeyData) // Embed it in client-side apps publicKeyStr := base64.StdEncoding.EncodeToString(publicKeyData)Also, you can generate a private key using the Virgil CLI.Sign a user's CardIn order to add the signature of your app server to a user's Card you need to:transmit an existing user's Card to your server (you must do this before publishing). You can use any suitable way to transmit the Card.If you need to export a user's Card to a string representation on a client side or import a Card from the string representation on a server side, use the following lines of code: params := &sdk.CardManagerParams{} params.SignCallback = func(model *sdk.RawSignedModel) (signedCard *sdk.RawSignedModel, err error) { rawCardStr, err := model.ExportAsBase64EncodedString() if err != nil { return nil, err } // Send this string to server-side, where it will be signed //import server's answer return sdk.GenerateRawSignedModelFromString(rawCardStr) }sign a transmitted user's Card with a private key of your server: // Receive rawCardStr from a client rawCard, err := sdk.ImportRawSignedModel(rawCardStr) if err != nil { //handle } modelSigner := sdk.NewModelSigner(cardCrypto) // sign a user's card with a server's private key err = modelSigner.Sign(rawCard, "YOUR_BACKEND", privateKey, nil) if err != nil { //handle } // Send it back to the client newRawCardStr, err := rawCard.ExportAsBase64EncodedString() if err != nil { //handle }Then Virgil SDK sends back a signed Card to the client side.setup Virgil Card Verifier. By default, CardVerifier only verifies the signatures of a Card owner and Virgil Cards Service. So when you add an additional signature to users' Cards, you also have to set up CardVerifier.