openssl dgst -sign: Sign and Verify Data
openssl dgst -sign signs data with a private key and -verify checks it with the public key.
For signing release artifacts or verifying a webhook, dgst -sign is the simple path. Keep the digest and key algorithm consistent on both ends.
What it does
openssl dgst -sign hashes the input and signs the digest with a private key, writing a binary signature. -verify checks a signature against the data using the matching public key and prints "Verified OK" or "Verification failure".
Common usage
openssl dgst -sha256 -sign key.pem -out sig.bin file.tar.gz
openssl dgst -sha256 -verify pub.pem -signature sig.bin file.tar.gzOptions
| Flag | What it does |
|---|---|
| -sign <key> | Sign with the given private key |
| -verify <pubkey> | Verify against the given public key |
| -signature <file> | Signature file to check (with -verify) |
| -sha256 | Digest algorithm (must match on both ends) |
| -out <file> | Write the signature (with -sign) |
Common errors in CI
"Verification failure" means the data, signature, key, or digest differ from signing; confirm the exact bytes and the same -sha256 on both sides. "unable to load Private Key" means a wrong path or missing passphrase. Signing with an EC key but verifying with the RSA public key (or vice versa) also fails verification.