minisign -V: Verify a Signature
minisign -V verifies that a file matches its .minisig signature using the signer public key.
A verify step gates the pipeline: fetch the artifact and its signature, verify against the known public key, and fail the build if it does not match.
What it does
minisign -V checks the signature of the file named by -m using the public key from -p (a file) or -P (the key string inline). On success it prints the signed trusted comment and exits 0; on failure it exits non-zero.
Common usage
minisign -V -p minisign.pub -m app-1.2.0.tar.gz
# public key inline (no file needed)
minisign -V -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3 \
-m app-1.2.0.tar.gzOptions
| Flag | What it does |
|---|---|
| -V | Verify a signature |
| -m <file> | The file whose signature to check |
| -p <file> | Public key file |
| -P <pubkey> | Public key given inline as a string |
| -x <file> | Signature file path if not <file>.minisig |
| -q | Quiet: do not print the trusted comment on success |
In CI
Pin the public key with -P inline so no extra file has to be fetched. minisign exits non-zero on a bad signature, so the step fails the job automatically; no need to parse output.
Common errors in CI
"Signature verification failed" means the file, signature, or key does not match; confirm you downloaded the exact artifact that was signed. "Comment signature verification failed" means the trusted comment was tampered with. "An error occurred while opening <file>.minisig" means the signature file is missing next to the artifact.