take signing key path as the parameter instead of the key itself

This is to make sure that we don't leak keys in the argument and hence
in logs etc.