eNotary: Notary signs new key binding certificate

[plansombl]

Description

Inside the eNotary software, a notary must be able to sign a newly generated key binding certificate. This allows a fresh cryptographic key to be officially bound and attested by the notary, establishing trust for downstream consumers of the certificate (e.g. eID wallets, eVault access).

Reference

• Related to the eID Wallet passphrase-free recovery flow (see companion issue).

Acceptance Criteria

• The eNotary UI presents a clear workflow for a notary to review and sign a new key binding certificate.
• The signed certificate is cryptographically valid and includes the notary's signature over the new public key and binding metadata.
• The resulting certificate is exportable / storable in a format consumable by the rest of the MetaState ecosystem.
• Signing is gated behind proper notary authentication (the notary must be authenticated before signing).
• Error states (e.g. invalid key material, unauthorised notary) are handled gracefully with clear feedback.
• The feature is covered by appropriate tests.

Desired Output (may vary)

A notary successfully signs a new key binding certificate within eNotary, producing a verifiable artefact that can be used to bind a new key to an identity.