Skill

gpg-sign

Sign a file or text with GPG — detached signature, clear-signed, or inline. Use when the user wants to publish a release artefact with a `.sig` file, prove authorship of a document, or sign a plain-text message that recipients can verify with their copy of their public key.

npx claudepluginhub danielrosehill/claude-code-plugins --plugin gpg-ops

Tool Access

This skill uses the workspace's default tool permissions.

Preview

The user wants to attach a cryptographic signature to a file or message — for release artefacts (`.tar.gz` + `.tar.gz.sig`), signed announcements, or signed email body text.

SKILL.md

Similar Skills

evm-token-decimals

175.2k

Prevents silent decimal mismatch bugs in EVM ERC-20 tokens via runtime decimals lookup, chain-aware caching, bridged-token handling, and normalization. For DeFi bots, dashboards using Python/Web3, TypeScript/ethers, Solidity.

everything-claude-code

Stats

Stars0

Forks0

Last CommitApr 30, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Sign with GPG

When to use

The user wants to attach a cryptographic signature to a file or message — for release artefacts (.tar.gz + .tar.gz.sig), signed announcements, or signed email body text.

Pick the signature mode

Mode	Flag	Output	When
Detached	`--detach-sign`	Separate `.sig` / `.asc` file alongside the original	Release artefacts, large binaries — original stays unchanged
Clear-signed	`--clearsign`	Plaintext wrapped in `-----BEGIN PGP SIGNED MESSAGE-----`	Signed email body, signed announcements that should remain human-readable
Inline	`--sign`	Single binary/armored blob containing message + signature	Niche; use detached or clear-signed instead in most cases

Detached signature (most common for releases)

gpg --armor --detach-sign --output <file>.sig <file>

Drop --armor if you want a binary .sig instead of an armored .asc-style signature. By GitHub-release convention, releases ship <artefact>.tar.gz + <artefact>.tar.gz.sig (binary) or .asc (armored).

To sign with a specific key (if you have multiple secret keys):

gpg --local-user <KEYID-or-email> --armor --detach-sign --output <file>.sig <file>

Clear-signed text

gpg --clearsign --output <file>.asc <file>

Or pipe text:

echo "Announcement: …" | gpg --clearsign

The output is human-readable plaintext with a signature appended — recipients can verify and read without a GPG-aware client.

Verifying that you signed correctly

Round-trip the signature locally before publishing:

gpg --verify <file>.sig <file>      # detached
gpg --verify <file>.asc             # clear-signed (verifies and prints the message)

You should see gpg: Good signature from "Your Name <email>".

Multiple signers

If multiple people need to sign the same artefact (e.g. a release with co-maintainers), each signer produces their own detached signature:

# Alice
gpg --local-user alice@... --detach-sign --armor -o release.tar.gz.alice.asc release.tar.gz
# Bob
gpg --local-user bob@... --detach-sign --armor -o release.tar.gz.bob.asc release.tar.gz

Verifiers run gpg --verify against each .asc.

Notes

Sign-and-encrypt in one step is handled by gpg-encrypt (--sign --encrypt), not here.
For signing git commits/tags, use git config commit.gpgsign true and git commit -S / git tag -s — that's a git workflow, not a direct GPG invocation.
The signing key must have the S capability flag (gpg --list-keys shows [SC] or [S] on the relevant subkey).