.RB [ \-t
.IR time ]
.br
-
+\h'8n'
.RB [ \-o
.IR output ]
.RI [ file
.RB [ \-F
.IR format ]
.br
-
+\h'8n'
.RB [ \-m
.IR file ]
.RB [ \-o
.BR key (1))
to generate the key.
.TP
+.B ed25519
+This is Bernstein, Duif, Lange, Schwabe, and Yang's Ed25519 algorithm.
+More specifically, this is HashEd25519
+using the selected
+.B hash
+algorithm \(en by default
+.BR sha512 .
+Use the
+.B ed25519
+algorithm of the
+.B key add
+command
+(see
+.BR key (1))
+to generate the key.
+.TP
+.B ed448
+This is Bernstein, Duif, Lange, Schwabe, and Yang's EdDSA algorithm,
+using Hamburg's Ed448-Goldilocks elliptic curve,
+as specified in RFC8032.
+More specifically, this is HashEd448
+using the selected
+.B hash
+algorithm \(en by default
+.BR sha3-512 .
+Use the
+.B ed448
+algorithm of the
+.B key add
+command
+(see
+.BR key (1))
+to generate the key.
+.TP
.B mac
This uses a symmetric message-authentication algorithm rather than a
digital signature. The precise message-authentication scheme used is
.BR eckcdsa ,
the default hash function is
.BR has160 .
+For
+.BR ed25519 ,
+the default hash function is
+.BR sha512 .
+For
+.BR ed448 ,
+the default hash function is
+.BR shake256 .
.PP
Run
.B catsign show hash
All messages.
.PP
.B Warning!
-All output written has been checked for authenticity. However, output
-can fail madway through for many reasons, and the resulting message may
+Unless the
+.B \-b
+option is set (which happens automatically if writing to standard
+output),
+.BR catsign 's
+output is
+.I not
+checked for authenticity until it has all been written. Even with
+.BR \-b ,
+output can fail midway for many reasons, and the resulting message may
therefore be truncated. Don't rely on the output being complete until
.B OK
is printed or