Skip to content
Latchkey

gpg --sign: Inline and Compressed Signatures

gpg --sign (-s) wraps the data and its signature together into one signed message.

Plain --sign bundles content and signature into a single (compressed, binary) object. For artifacts you usually want a detached signature instead, but --sign is the base operation.

What it does

gpg --sign compresses the input, signs it, and writes a single OpenPGP message containing both. gpg --verify or gpg --decrypt recovers and checks it. With --armor the output is text; --detach-sign and --clearsign are variants of the same signing operation.

Common usage

Terminal
gpg --sign message.txt          # -> message.txt.gpg (binary)
gpg --armor --sign message.txt   # -> message.txt.asc (text)
# verify and recover the original
gpg --decrypt message.txt.gpg > message.txt

Options

FlagWhat it does
--sign / -sSign and wrap the data inline
--armor / -aASCII-armor the signed output
--local-user <id> / -uSelect the signing key
--detach-sign / -bVariant: write a separate signature instead
--clearsignVariant: keep text readable with an inline signature

In CI

For distributing artifacts, prefer --detach-sign so consumers get the original file plus a small .sig. Use plain --sign only when you want one self-contained signed object. Either way, sign non-interactively with --batch --pinentry-mode loopback and a supplied passphrase.

Common errors in CI

"gpg: signing failed: Inappropriate ioctl for device" is the passphrase prompt with no TTY; switch to loopback pinentry. "gpg: no default secret key" means no signing key is configured; pass --local-user. To check a --sign output, use gpg --verify or gpg --decrypt; gpg --verify alone on a wrapped message reports the signature status.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →