Create and verify signatures for serializable Rust structures and raw binary data.
The signatures are always created with the Ed25519 algorithm by the secure keystore (lair).
Agent public keys that identify agents are the public half of a signing keypair. The private half of the signing keypair never leaves the secure keystore and certainly never touches WASM.
If a signature is requested for a public key that has no corresponding private key in lair, the signing will fail.
Signatures can always be verified with the public key alone so can be done remotely (by other agents) and offline, etc.
The elliptic curve used by the signing algorithm is the same as the curve used by the encryption algorithms but is not constant time (because signature verification doesn’t need to be).
In general it is not a good idea to reuse signing keys for encryption even if the curve is the same, without mathematically translating the keypair, and even then it’s dubious to do so.