gpg --clearsign: Sign Text In Place
gpg --clearsign wraps text in a signature while keeping the original content human-readable.
When you want a signed message that people can still read, clearsign is the tool. It is common for signed manifests, checksums files, and release notes.
What it does
gpg --clearsign signs a text file and emits it wrapped in a BEGIN PGP SIGNED MESSAGE block followed by the signature. The original text stays readable inline, unlike a detached or binary signature.
Common usage
gpg --clearsign SHA256SUMS
# non-interactive in CI, output to a named file
gpg --batch --yes --pinentry-mode loopback \
--passphrase "$GPG_PASSPHRASE" \
--output SHA256SUMS.asc --clearsign SHA256SUMSOptions
| Flag | What it does |
|---|---|
| --clearsign | Make a cleartext signature wrapping the message |
| --local-user <id> / -u | Select the signing key |
| --output <file> / -o | Where to write the signed message |
| --digest-algo SHA256 | Force the hash algorithm used |
| --pinentry-mode loopback | Supply the passphrase non-interactively |
Common errors in CI
"gpg: signing failed: Inappropriate ioctl for device" is the no-TTY passphrase prompt; add --pinentry-mode loopback and --passphrase. A clearsigned file that verifies locally but fails elsewhere often had its line endings rewritten (CRLF vs LF); clearsign is sensitive to whitespace, so do not let editors or checkout settings alter it.