Utilize a self-signed certificate and custom trust chain for test case cryptographic validation.

[amcgregor]

Unnecessary word of caution: Explicitly only for the test cases involving cryptographic code paths.

An example of this might include an end-to-end "integration" test with a generated QR image as source material. These test images can be pre-generated—and are unlikely to change—with only the public key shipped with the codebase for validation, or a tool such as git-crypt can be used to protect the private key in use. I've used this with good effect in the past, and it integrates using GPG, thus works well if code signing will be utilized anyway and can support multi-person teams.

[NCommander]

My general thought is to generate the keys on the fly for a given test signing pass, which is how I've done this for X.509 testing where I'll generate an entire CA on the fly as needed. I have reservations about documenting how that works more clearly, but there are a ton of github repos I found that can do just that so ... maybe that ship has already sailed ...

[NCommander]

I've implemented some skeleton support code to at least make this possible to calculate the KID from a given EC pubkey. Unfortunately, I ran into annoying licensing issues, which means implementing this is easier said than done. I'm not a big fan of having even private testsigning key in repo, so I'm thinking this is the way to go.