minisign -S: Sign a Release Artifact
minisign -S signs a file with your secret key, producing a compact .minisig signature others verify with your public key.
Signing a release tarball is a two-line step: point -s at the secret key and -m at the artifact. The trusted comment lets you embed a note (like a version) that is also signed.
What it does
minisign -S signs the file given by -m with the secret key from -s, writing <file>.minisig next to it. The signature covers the file plus a trusted comment (-t) that verifiers can display and rely on.
Common usage
minisign -S -s minisign.key -m app-1.2.0.tar.gz
# add a signed trusted comment
minisign -S -s minisign.key -m app-1.2.0.tar.gz \
-t "release 1.2.0 built on CI"Options
| Flag | What it does |
|---|---|
| -S | Sign a file |
| -m <file> | The file to sign |
| -s <file> | Secret key to sign with |
| -t <comment> | Trusted comment (signed, shown on verify) |
| -c <comment> | Untrusted comment (not signed) |
| -x <file> | Write the signature to a specific path |
In CI
Use an unencrypted secret key (generated with -W) or the sign step will prompt for a password and hang. Publish the .minisig alongside the artifact so downstream jobs and users can verify.
Common errors in CI
"Password:" appearing at all means the secret key is encrypted; regenerate with -W or supply the password non-interactively. "Unable to load the secret key" means -s is wrong or the file is truncated. "Signature verification will fail" downstream usually traces to signing a different build than the one published.