Skip to content
Latchkey

minisign -S: Sign a Release Artifact

minisign -S signs a file with your secret key, producing a compact .minisig signature others verify with your public key.

Signing a release tarball is a two-line step: point -s at the secret key and -m at the artifact. The trusted comment lets you embed a note (like a version) that is also signed.

What it does

minisign -S signs the file given by -m with the secret key from -s, writing <file>.minisig next to it. The signature covers the file plus a trusted comment (-t) that verifiers can display and rely on.

Common usage

Terminal
minisign -S -s minisign.key -m app-1.2.0.tar.gz
# add a signed trusted comment
minisign -S -s minisign.key -m app-1.2.0.tar.gz \
  -t "release 1.2.0 built on CI"

Options

FlagWhat it does
-SSign a file
-m <file>The file to sign
-s <file>Secret key to sign with
-t <comment>Trusted comment (signed, shown on verify)
-c <comment>Untrusted comment (not signed)
-x <file>Write the signature to a specific path

In CI

Use an unencrypted secret key (generated with -W) or the sign step will prompt for a password and hang. Publish the .minisig alongside the artifact so downstream jobs and users can verify.

Common errors in CI

"Password:" appearing at all means the secret key is encrypted; regenerate with -W or supply the password non-interactively. "Unable to load the secret key" means -s is wrong or the file is truncated. "Signature verification will fail" downstream usually traces to signing a different build than the one published.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →