seems like you could sign it with an organizational entity vs individual dev - then add the entitys passphrase and cert to whatever secret store we’re using for other stuff to fully automate signing