Skip to content
Latchkey

gpg --clearsign: Sign Text In Place

gpg --clearsign wraps text in a signature while keeping the original content human-readable.

When you want a signed message that people can still read, clearsign is the tool. It is common for signed manifests, checksums files, and release notes.

What it does

gpg --clearsign signs a text file and emits it wrapped in a BEGIN PGP SIGNED MESSAGE block followed by the signature. The original text stays readable inline, unlike a detached or binary signature.

Common usage

Terminal
gpg --clearsign SHA256SUMS
# non-interactive in CI, output to a named file
gpg --batch --yes --pinentry-mode loopback \
  --passphrase "$GPG_PASSPHRASE" \
  --output SHA256SUMS.asc --clearsign SHA256SUMS

Options

FlagWhat it does
--clearsignMake a cleartext signature wrapping the message
--local-user <id> / -uSelect the signing key
--output <file> / -oWhere to write the signed message
--digest-algo SHA256Force the hash algorithm used
--pinentry-mode loopbackSupply the passphrase non-interactively

Common errors in CI

"gpg: signing failed: Inappropriate ioctl for device" is the no-TTY passphrase prompt; add --pinentry-mode loopback and --passphrase. A clearsigned file that verifies locally but fails elsewhere often had its line endings rewritten (CRLF vs LF); clearsign is sensitive to whitespace, so do not let editors or checkout settings alter it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →