add an api point to retrieve the signing pub key
as keys are normally populated at runtime (from a vault secret), add an api point /crt
to retrieve the public certificate used to sign the packages. That way all containers can get the certificate dynamically