Merge pull request #28 from contentauth/docs/pkey_caveat

crandmck · web-flow · commit 4660ef91da80 · 2024-08-23T14:43:57.000-07:00
Add note about not accessing cert locally in prod
diff --git a/README.md b/README.md
@@ -72,7 +72,9 @@ except Exception as err:
 
 ### Add a signed manifest to a media file or stream
 
-Use a `Builder` to add a manifest to an asset.
+**WARNING**: This example accesses the private key and security certficate directly from the local file system.  This is fine during development, but doing so in production may be insecure. Instead use a Key Management Service (KMS) or a hardware security module (HSM) to access the certificate and key; for example as show in the [C2PA Python Example](https://github.com/contentauth/c2pa-python-example).
+
+Use a `Builder` to add a manifest to an asset:
 
 ```py
 try:
