Making and verifying a detached signature using a PGP key pair in Linux

Saturday, August 10, 2024 at 7:10 PM | 3 min read

Last modified on Friday, May 29, 2026 at 4:51 PM

#asymmetric encryption, #detached signature, #gpg, #linux, #pgp, #pgp key pair, #security, #series, #verification

Man holding a signature on a card

Photo by Signature Pro on unsplash.com

Table of Contents

Making and verifying digital signatures using GPG in Linux recap

In the first article of this series entitled Making and verifying a detached signature using a PGP key pair in Linux, I discussed how to make and verify a (regular) signature using a PGP key pair. I went over:

  • what a digital signature is, why use them,
  • the digital signature process,
  • why they should be used with PGP (or PKI, but that is outside the scope of this article),
  • how to create a digital signature using a PGP key pair (a form of asymmetric encryption),
  • why asymmetric encryption is more secure than symmetric encryption,
  • how to edit a public PGP key, how to list the public PGP keys,
  • how to delete a PGP public key uid,
  • how to create a revocation certificate for a PGP key pair and why you should have one,
  • how to make a signature, and how to verify it.

In this article, I discuss what a detached signature is, how it compares to a complete signature, how to make one using a PGP key pair, and how to verify it.

What is a detached signature?

A detached signature means that it is separate from the file or data being signed. As opposed to a complete signature which contains both the original information and the signature.

Creating a detached signature using --detach-sign

If I want to create a detached signature for my make_signature.txt file, I would run the following in Terminal:

# I could also use the `-b` flag instead, which is the shorthand for `--detach-sign`
gpg --detach-sign make_signature.txt
# when I hit return, the passphrase prompt appears
# after I have entered the passphrase for my PGP key pair I am using and hit "OK", I am returned to the Terminal command prompt

If I run the ls command on the current working directory, I will see that a new file called make_signature.txt.sig has been created:

make_signature.txt  make_signature.txt.sig

Verifying the detached signature

To verify the detached signature, I run the following in Terminal:

gpg --verify make_signature.txt.sig make_signature.txt
# the following is returned when I hit the `Return` key:
gpg: Signature made Sat 10 Aug 2024 04:04:06 PM EDT
gpg:                using RSA key xxxxxxxxxxxxxxxx
gpg: Good signature from "Maria (GPG key pair for local tesing with correct email) <amria#maria-VirtualBox>" [ultimate]

If the same file name as the original is being used in signature verification, then I can do the following instead:

gpg --verify make_signature.txt.sig
# and the following is returned:
gpg: assuming signed data in "make_signature.txt"
gpg: Signature made Sat 10 Aug 2024 04:04:06 PM EDT
gpg;                using RSA key xxxxxxxxxxxxxxxx
gpg: Good signature from "Maria (GPG key pair for local tesing with correct email) <amria#maria-VirtualBox>" [ultimate]

Complete signature vs detached signature

When we create a "complete" signature as we did with the gpg extension by executing the command gpg -s make_signature.txt,

  • the make_signature.txt.gpg file is complete because we could send it to someone and it would be readable using GPG and our public key.
  • --sign compresses, signs and outputs the signed text in a binary format.
  • Another user has to recover the original file from the signed version. The resulting .gpg file contains the signed file.

When we create a detached signature,

  • both the file and detached signature are needed to verify the signature.
  • the resulting .sig won't contain the signed file only the signature.
  • The recipient would need both the original file and the signature file in order to both read the data and verify it.

Basically, the question here is, "Is it more important to make the data unreadable in transit (complete signature)?" or "Is it more important that the data just be verified (detached signature)?"

Asymmetric encryption and decryption series