signify: OpenBSD Signing and Verification
signify generates keys, signs files, and verifies signatures with Ed25519, the way OpenBSD signs its releases.
signify predates minisign and shares its philosophy: tiny keys, one signature file. On Debian/Ubuntu it is packaged as signify-openbsd. Common in release pipelines that sign a SHA256 checksum list.
What it does
signify -G makes a key pair, -S signs a file into <file>.sig, and -V verifies. -e embeds the signed message inside the signature (used for checksum files) so verifying also emits the original content.
Common usage
signify -G -p key.pub -s key.sec
signify -S -s key.sec -m SHA256 -e -x SHA256.sig
signify -V -p key.pub -m SHA256 -e -x SHA256.sigOptions
| Flag | What it does |
|---|---|
| -G | Generate a key pair (-p public, -s secret) |
| -S | Sign the message given by -m |
| -V | Verify a signature |
| -m <file> | Message/file to sign or verify |
| -x <file> | Signature file (default <file>.sig) |
| -e | Embed the message in the signature (gzip verify pattern) |
| -n | Do not encrypt the secret key with a passphrase |
In CI
Generate the key with -n so the secret key has no passphrase and signing does not prompt. On Debian-based runners the binary is signify-openbsd; check the package name before scripting it.
Common errors in CI
"signify: unable to read/parse key file" means -s or -p points at the wrong file. "signify: signature verification failed" means the file changed or the wrong public key was used. If signing prompts "passphrase:", the key was made without -n; regenerate or pipe the passphrase.