JWT Signing Key is exposed

[trbehera]

The default JWT signing key is exposed here.
https://github.com/secure-device-onboard/rendezvous-service/blob/v1.10.1/demo/rendezvous.env#L13

In the hypothetical scenario where a deployed instance doesn't change this key, the JWT bearer tokens (used for msg/22 and msg/32) can be created with arbitrary timeout values.