> Yes. There is even an active function that allows you sign arbitrary bits to check if the passport actually contains the private key.
That's true for older passports, but there's actually a newer scheme that uses Diffie-Hellman key agreement instead, since non-repudiation, which is hard to avoid with RSA signatures, is considered a non-goal for passports. (Some governments apparently don't want them to be used as a "backdoor e-signing scheme", hence the change to the new repudiable authentication scheme.)
Some countries indeed also implement an e-signature scheme with their national identity cards (for example Germany), but this is a completely different scheme and accordingly protocol from the ICAO biometric travel document one.
Essentially, these countries run two applications on the document chip: One that lets anyone verify the authenticity of the document, using the ICAO PKI and active or chip authentication, and one that lets the document owner sign data, usually after entering a PIN or password (or anybody holding the document could do so on their behalf).
Other countries decouple e-signatures/remote authentication and electronically verifiable identity documents, e.g. Austria – which now has an ICAO-compatible identity card, but a completely separate e-signature schme based on, and it really pains me to say this... server-side private keys.
That's true for older passports, but there's actually a newer scheme that uses Diffie-Hellman key agreement instead, since non-repudiation, which is hard to avoid with RSA signatures, is considered a non-goal for passports. (Some governments apparently don't want them to be used as a "backdoor e-signing scheme", hence the change to the new repudiable authentication scheme.)