private static JsonWebKeySet RetrieveTrustedSigningKeys(string serviceJwt, string attestDnsName, string tenantName, bool includeDetails)
        {
            var expectedCertificateDiscoveryEndpoint = $"https://{attestDnsName}/certs";

            // Parse attestation service trusted signing key discovery endpoint from JWT header jku field
            var jwt                          = new JsonWebToken(serviceJwt);
            var jsonHeaderBytes              = Base64Url.DecodeBytes(jwt.EncodedHeader);
            var jsonHeaderString             = Encoding.UTF8.GetString(jsonHeaderBytes);
            var jsonHeader                   = JObject.Parse(jsonHeaderString);
            var jkuUri                       = jsonHeader.SelectToken("jku");
            Uri certificateDiscoveryEndpoint = new Uri(jkuUri.ToString());

            // Validate that "jku" points to the expected certificate discovery endpoint
            if (!expectedCertificateDiscoveryEndpoint.Equals(certificateDiscoveryEndpoint.ToString(), StringComparison.InvariantCultureIgnoreCase))
            {
                throw new ArgumentException($"JWT JKU header not valid.  Value is '{certificateDiscoveryEndpoint.ToString()}'.  Expected value is '{expectedCertificateDiscoveryEndpoint}'");
            }
            Logger.WriteLine($"JWT JKU location validation        : True");
            if (includeDetails)
            {
                Logger.WriteLine($"    JWT JKU value                  : {certificateDiscoveryEndpoint.ToString()}");
            }

            // Retrieve trusted signing keys from the attestation service
            var webClient = new WebClient();

            webClient.Headers.Add("tenantName", tenantName.Length > 24 ? tenantName.Remove(24) : tenantName);
            var jwksValue = webClient.DownloadString(certificateDiscoveryEndpoint);

            return(new JsonWebKeySet(jwksValue));
        }