gpg --sign: Inline and Compressed Signatures
gpg --sign (-s) wraps the data and its signature together into one signed message.
Plain --sign bundles content and signature into a single (compressed, binary) object. For artifacts you usually want a detached signature instead, but --sign is the base operation.
What it does
gpg --sign compresses the input, signs it, and writes a single OpenPGP message containing both. gpg --verify or gpg --decrypt recovers and checks it. With --armor the output is text; --detach-sign and --clearsign are variants of the same signing operation.
Common usage
gpg --sign message.txt # -> message.txt.gpg (binary)
gpg --armor --sign message.txt # -> message.txt.asc (text)
# verify and recover the original
gpg --decrypt message.txt.gpg > message.txtOptions
| Flag | What it does |
|---|---|
| --sign / -s | Sign and wrap the data inline |
| --armor / -a | ASCII-armor the signed output |
| --local-user <id> / -u | Select the signing key |
| --detach-sign / -b | Variant: write a separate signature instead |
| --clearsign | Variant: keep text readable with an inline signature |
In CI
For distributing artifacts, prefer --detach-sign so consumers get the original file plus a small .sig. Use plain --sign only when you want one self-contained signed object. Either way, sign non-interactively with --batch --pinentry-mode loopback and a supplied passphrase.
Common errors in CI
"gpg: signing failed: Inappropriate ioctl for device" is the passphrase prompt with no TTY; switch to loopback pinentry. "gpg: no default secret key" means no signing key is configured; pass --local-user. To check a --sign output, use gpg --verify or gpg --decrypt; gpg --verify alone on a wrapped message reports the signature status.