Skip to content
Latchkey

openssl dgst -sign: Sign and Verify Data

openssl dgst -sign signs data with a private key and -verify checks it with the public key.

For signing release artifacts or verifying a webhook, dgst -sign is the simple path. Keep the digest and key algorithm consistent on both ends.

What it does

openssl dgst -sign hashes the input and signs the digest with a private key, writing a binary signature. -verify checks a signature against the data using the matching public key and prints "Verified OK" or "Verification failure".

Common usage

Terminal
openssl dgst -sha256 -sign key.pem -out sig.bin file.tar.gz
openssl dgst -sha256 -verify pub.pem -signature sig.bin file.tar.gz

Options

FlagWhat it does
-sign <key>Sign with the given private key
-verify <pubkey>Verify against the given public key
-signature <file>Signature file to check (with -verify)
-sha256Digest algorithm (must match on both ends)
-out <file>Write the signature (with -sign)

Common errors in CI

"Verification failure" means the data, signature, key, or digest differ from signing; confirm the exact bytes and the same -sha256 on both sides. "unable to load Private Key" means a wrong path or missing passphrase. Signing with an EC key but verifying with the RSA public key (or vice versa) also fails verification.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →