minisign -G: Generate a Signing Key Pair
minisign -G creates a public/secret key pair for signing and verifying files with Ed25519.
minisign is a dead-simple signing tool that produces one small public key you can paste into a README. Generate the pair once, keep the secret key in a CI secret, publish the public key.
What it does
minisign -G generates an Ed25519 key pair. By default the secret key is encrypted with a password and written to ~/.minisign/minisign.key; the public key goes to minisign.pub. -W writes an unencrypted secret key, which suits non-interactive CI.
Common usage
minisign -G -p minisign.pub -s minisign.key
# unencrypted secret key for CI (no password prompt)
minisign -G -W -p minisign.pub -s minisign.keyOptions
| Flag | What it does |
|---|---|
| -G | Generate a new key pair |
| -p <file> | Path to write the public key |
| -s <file> | Path to write the secret key |
| -W | Do not encrypt the secret key with a password |
| -f | Force: overwrite an existing key file |
In CI
Generate keys locally. To sign in a pipeline, store the (ideally -W unencrypted) secret key in a secret, write it to a temp file, and pass it with -s. An encrypted key would block on the password prompt.
Common errors in CI
"Key generation aborted: <file> already exists" means the target file is present; add -f to overwrite or pick a new path. If you kept the password on the key, signing later prints "Password:" and hangs the job; regenerate with -W or feed the password on stdin.