Always load public master ed25519 key from disk, check for match with signing cert
The cause of bug #16530 (moved) is a still slightly murky, but one thing is apparent: we need to check harder when we like our ed25519 signing key and cert to make sure that they match our real public key as stored on disk.