Create and verify signatures for serializable Rust structures and raw binary data.
The signatures are always created with the Ed25519 algorithm by the secure keystore (lair).
Agent public keys that identify agents are the public half of a signing keypair. The private half of the signing keypair never leaves the secure keystore and certainly never touches WASM.
If a signature is requested for a public key that has no corresponding private key in lair, the signing will fail.
Signatures can always be verified with the public key alone so can be done remotely (by other agents) and offline, etc.
The elliptic curve used by the signing algorithm is the same as the curve used by the encryption algorithms but is not constant time (because signature verification doesn’t need to be).
In general it is not a good idea to reuse signing keys for encryption even if the curve is the same, without mathematically translating the keypair, and even then it’s dubious to do so.
- Sign something that is serializable using the private key for the passed public key.
- Sign N serializable things using an ephemeral private key.
- Sign N data using an ephemeral private key.
- Sign some data using the private key for the passed public key.
- Verify the passed signature and public key against the passed serializable input.
- Verify the passed signature and public key against the literal bytes input.