Don't use the primary key without calling with_policy
We often do something like:
cert.primary_key().key().clone()
.mark_parts_secret()?.into_keypair()?;
This is because we assume that the primary key is certification capable. That's true, but not calling .with_policy
means that the user's policy can't be applied. This is a bug and should be fixed.