Skip to content
Latchkey

minisign -V: Verify a Signature

minisign -V verifies that a file matches its .minisig signature using the signer public key.

A verify step gates the pipeline: fetch the artifact and its signature, verify against the known public key, and fail the build if it does not match.

What it does

minisign -V checks the signature of the file named by -m using the public key from -p (a file) or -P (the key string inline). On success it prints the signed trusted comment and exits 0; on failure it exits non-zero.

Common usage

Terminal
minisign -V -p minisign.pub -m app-1.2.0.tar.gz
# public key inline (no file needed)
minisign -V -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 \
  -m app-1.2.0.tar.gz

Options

FlagWhat it does
-VVerify a signature
-m <file>The file whose signature to check
-p <file>Public key file
-P <pubkey>Public key given inline as a string
-x <file>Signature file path if not <file>.minisig
-qQuiet: do not print the trusted comment on success

In CI

Pin the public key with -P inline so no extra file has to be fetched. minisign exits non-zero on a bad signature, so the step fails the job automatically; no need to parse output.

Common errors in CI

"Signature verification failed" means the file, signature, or key does not match; confirm you downloaded the exact artifact that was signed. "Comment signature verification failed" means the trusted comment was tampered with. "An error occurred while opening <file>.minisig" means the signature file is missing next to the artifact.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →