Skip to content
Latchkey

signify: OpenBSD Signing and Verification

signify generates keys, signs files, and verifies signatures with Ed25519, the way OpenBSD signs its releases.

signify predates minisign and shares its philosophy: tiny keys, one signature file. On Debian/Ubuntu it is packaged as signify-openbsd. Common in release pipelines that sign a SHA256 checksum list.

What it does

signify -G makes a key pair, -S signs a file into <file>.sig, and -V verifies. -e embeds the signed message inside the signature (used for checksum files) so verifying also emits the original content.

Common usage

Terminal
signify -G -p key.pub -s key.sec
signify -S -s key.sec -m SHA256 -e -x SHA256.sig
signify -V -p key.pub -m SHA256 -e -x SHA256.sig

Options

FlagWhat it does
-GGenerate a key pair (-p public, -s secret)
-SSign the message given by -m
-VVerify a signature
-m <file>Message/file to sign or verify
-x <file>Signature file (default <file>.sig)
-eEmbed the message in the signature (gzip verify pattern)
-nDo not encrypt the secret key with a passphrase

In CI

Generate the key with -n so the secret key has no passphrase and signing does not prompt. On Debian-based runners the binary is signify-openbsd; check the package name before scripting it.

Common errors in CI

"signify: unable to read/parse key file" means -s or -p points at the wrong file. "signify: signature verification failed" means the file changed or the wrong public key was used. If signing prompts "passphrase:", the key was made without -n; regenerate or pipe the passphrase.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →