Which key to use to validate the Server-Side Notifications v2 JWTs?

Please see this page with resources so you can verify its authenticity: https://www.apple.com/certificateauthority/

I am trying to implement this and it is not working. I don't know which certificate(s) I am supposed to use, and I'm having a hard time believing that there isn't some page of documentation we're all missing that properly addresses the intended best practices here.

For example: https://developer.apple.com/documentation/sign_in_with_apple/fetch_apple_s_public_key_for_verifying_token_signature Here it is much more clear what we are intended to do. I've actually implemented this and it works. I see other posts here and elsewhere on the internet on this same topic and in most cases, people aren't really sure what to do, and most of the answers are misunderstanding the basic issue. There are one or two who say they've gotten something working in Golang or something, but I wonder how reliable those solutions are.

• Please provide better documentation on securing appstore server notifications (with the REST api this is less of an issue for obvious reasons)
• Please provide a specific endpoint to fetch a public key for this, and document it clearly.
• Please do not respond with a link to https://www.apple.com/certificateauthority/. That link is already available, I get the urge to save time by reusing an existing page as the solution for how to implement this new feature but it's not helpful.

Thanks

as always apple giving no shit about how developers can do shit