What is a Signer
A signer is any Solana account that cryptographically signs a transaction, and a keypair is what enables that signing capability. All Solana keypairs are Ed25519, a signature scheme based on an elliptic curve: a secret, private key (which you never show anyone) and a public key (which is viewable by anyone). The public key essentially serves as your address: it's just a 32-byte sequence of numbers in Base58 (with no 0x in front).
To visualize a signature and public key, imagine someone sealing a letter in wax. Everyone in your town recognizes that wax impression. Therefore, if that letter has the wax imprint, it was written by you. The only way to make that wax impression is via the stamp which you alone have. The impression is your public key; the stamp is your private key. Pressing the stamp into the wax to make the impression is called signing. You can make this impression yourself; anyone else can see it.
Technical Details of Signing
Transactions in Solana specify upfront which accounts will be used to sign them. The first account to sign will be the fee payer. Each account that signs the transaction will pay a flat fee of 5,000 lamports (0.000005 SOL) per account. At a current SOL price of $80, this comes to 0.0004 USD (a fraction of a cent) for each signer in the transaction. A transaction requiring two accounts to sign will pay 10,000 lamports in fees. Each account in a transaction can be the fee payer, so an application can pay the fees for another person by signing as the first signer of a transaction with their own keypair.
When you interact with a Dapp on Jupiter, the Phantom transaction simulator builds a transaction, simulates how this will change balances, and signs a message with your private key (which is encrypted in your hardware). Hardware wallets improve upon this: the private key never leaves the device, and the device itself signs and only returns the signature. Multisig wallets like Squads take things further, by having a specific number of keypairs (ex: 3 out of 5) sign a transaction. A DAO would use this to protect their treasury.
An interesting difference about signing on Solana is that programs do not have private keys. Solana has a way to derive an address called a Program Derived Address (PDA), which is a way of generating an address that has no corresponding private key. The runtime will then sign on behalf of the program with the signature of that program. This is how, for example, Marinade has the ability to hold the stake accounts on behalf of a user without someone physically holding a secret key. It is also how a pool on Raydium can hold funds without a keyholder.
Solana Keys vs. Ethereum Keys
Ethereum uses a different signature curve called secp256k1, also known as the Bitcoin curve. However, rather than being simply the public key, an Ethereum account is derived from the public key: it's the last 20 bytes of the hash of the public key prefixed with 0x. The Solana address is the full Ed25519 public key in Base58 encoding. So functionally similar but visually very different: rather than the common checksummed hexadecimal notation, you'll have something like: 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU.
One reason Solana chose Ed25519 as opposed to secp256k1 was the increased speed of that curve on batch verification of signatures. With a ~400ms slot time and a high throughput of transactions per second, it is crucial to keep the computational cost of validating each signature as low as possible. Also, the fixed fee of 5,000 lamports to be a fee payer is a stark contrast to Ethereum, where any action requiring a signature is subject to the variable gas market, which is known to spike as high as hundreds of dollars for a single transaction.
Why Signers are Important
Consider an NFT purchase on Magic Eden or Tensor. You approve the Phantom transaction prompt and your private key attests to a specific message which is a specific transaction. Every single byte of that message is important, and even changing one single byte will invalidate your signature. This is a core feature of the system that allows you to sign a transaction for $2 to buy a DRiP collection and then trust that the same signature cannot then be used to sign the sale of a $200,000 piece of NFT art on the blockchain.
On the flip side, you as the user must take all care in signing a transaction. If your private key is compromised, all funds in the accounts it has access to will be vulnerable. If you sign a malicious transaction without fully vetting it, there's no recourse to reverse the damage you've just done. Transaction simulators built into modern wallets do help to mitigate this risk, and are designed to make it harder to sign malicious transactions without the users knowing, but some people can be more technically skilled than others. Ethereum's account-abstraction wallets have a much greater ability to recover a compromised private key (social recovery), but on Solana, the best way to recover is multisig via Squads, or careful management of your seed phrase.
Can someone derive my private key from my public key/address?
No! Nobody has the capability to derive your private key from your public key. It is a one-way street that you cannot go back through: deriving the public key from the private key requires a fraction of a millisecond with any computer. Reversing the relationship would require more computer power than would have existed for the entire duration of our known universe.