Skip to content
Latchkey

minisign -G: Generate a Signing Key Pair

minisign -G creates a public/secret key pair for signing and verifying files with Ed25519.

minisign is a dead-simple signing tool that produces one small public key you can paste into a README. Generate the pair once, keep the secret key in a CI secret, publish the public key.

What it does

minisign -G generates an Ed25519 key pair. By default the secret key is encrypted with a password and written to ~/.minisign/minisign.key; the public key goes to minisign.pub. -W writes an unencrypted secret key, which suits non-interactive CI.

Common usage

Terminal
minisign -G -p minisign.pub -s minisign.key
# unencrypted secret key for CI (no password prompt)
minisign -G -W -p minisign.pub -s minisign.key

Options

FlagWhat it does
-GGenerate a new key pair
-p <file>Path to write the public key
-s <file>Path to write the secret key
-WDo not encrypt the secret key with a password
-fForce: overwrite an existing key file

In CI

Generate keys locally. To sign in a pipeline, store the (ideally -W unencrypted) secret key in a secret, write it to a temp file, and pass it with -s. An encrypted key would block on the password prompt.

Common errors in CI

"Key generation aborted: <file> already exists" means the target file is present; add -f to overwrite or pick a new path. If you kept the password on the key, signing later prints "Password:" and hangs the job; regenerate with -W or feed the password on stdin.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →