Sign a Card with an additional keyThis guide shows how to sign a Card with an additional private key for providing your digital solution with the highest level of security.When you care about your security, you shouldn't trust anyone. Thus, to be sure that a user's Card wasn't replaced with another one, you have to add an additional signature into a Card.Before publishing a user's Card on Virgil Cards Service, we recommend that you sign a Card with an additional private key, for example, the private key of your Application Server. Remember, you cannot change a Card's content after it's published. Generate a Private KeyYou can generate a private key for your server and save it in a secure key storage with the following code:from virgil_crypto import VirgilCrypto from virgil_sdk.utils import Utils # generate a key pair crypto = VirgilCrypto() key_pair = crypto.generate_keys() # export private and public key private_key_data = crypto.export_private_key(key_pair.private_key, "YOUR_PASSWORD") public_key_data = crypto.export_public_key(key_pair.public_key) # Save it securely private_key_str = Utils.b64encode(private_key_data) # Embed it in client-side apps public_key_str = Utils.b64encode(public_key_data)Also, you can generate a private key using the Virgil CLI.Sign a user's CardIn order to add the signature of your app server to a user's Card you need to:transmit an existing user's Card to your server (you must do this before publishing). You can use any suitable way to transmit the Card.If you need to export a user's Card to a string representation on a client side or import a Card from the string representation on a server side, use the following lines of code:from virgil_sdk.client import RawSignedModel def sign_callback(model): raw_card_str = model.to_string() # Send this string to server-side, where it will be signed response = authenticated_query_to_server(raw_card_str) signed_raw_card = RawSignedModel.from_string(response) return signed_raw_card # Now can use it as argument for CardManagersign a transmitted user's Card with a private key of your server:from virgil_crypto.card_crypto import CardCrypto from virgil_sdk.client import RawSignedModel from virgil_sdk.signers import ModelSigner # Receive raw_card_str from a client raw_card = RawSignedModel.from_string(raw_card_str) card_crypto = CardCrypto() signer = ModelSigner(card_crypto) # sign a user's card with a server's private key signer.sign( raw_card, signer="YOUR_BACKEND", signer_private_key=private_key ) # Send it back to the client new_raw_card_str = raw_card.to_string()Then Virgil SDK sends back a signed Card to the client side.setup Virgil Card Verifier. By default, CardVerifier only verifies the signatures of a Card owner and Virgil Cards Service. So when you add an additional signature to users' Cards, you also have to set up CardVerifier.