A signature would only expose the public key. Are these mostly devs that will be using it? You could put some kind of set up in their dev machine? If it is all on IC you could look at storing their key using vet keys and the app could download it anytime it needs it via some kind of config canister.
Subnet signing is the old way of getting signatures(non tecdsa). It is the way II and siwe works. Basically you put data in your canisters data and sign it. How to create a decentralized community neuron