[pgpony] $ download
// glossary / detached-signature

Detached signature.

A PGP signature stored in a separate .sig (or .asc) file that lives alongside the file it signs. Common for software releases — the original tarball ships unchanged and the signature ships next to it. Verification needs both files.

// definition

A detached signature is a PGP signature stored in a separate file from the content it signs. The original file (release tarball, binary, document) stays unchanged; the signature file (typically .sig for binary or .asc for armored) sits alongside it.

What it is.

Detached signatures address a problem clearsigning can't: you want to sign a binary file (a tarball, a software package, a PDF), and modifying that file to include the signature would break it. The solution is to compute the signature, save it to a separate file, and distribute the two together.

The signature file contains everything needed to verify: which key signed, what hash algorithm was used, the signature value itself. To verify, you point the OpenPGP tool at both files: 

gpg --verify release-2.4.0.tar.gz.sig release-2.4.0.tar.gz

The tool re-hashes the original file, compares against the signature, and reports valid or invalid. If either file is missing or wrong, verification fails.

Why it matters.

Detached signatures are the standard way to sign released artifacts in open source. Every Linux distribution, every signed software release, every reproducible-builds verification workflow uses the pattern: produce the artifact, sign with a detached signature, distribute both. Downstream packagers verify before incorporating the artifact into their distribution.

The trade-off vs. clearsigning is that the two files must travel together. Lose the .sig and you have an unverifiable file. Mix up which signature goes with which release and verification fails. Conventional naming (filename.tar.gz + filename.tar.gz.sig) prevents most mistakes.

// producing a detached signature
gpg --detach-sign --armor release-2.4.0.tar.gz # produces release-2.4.0.tar.gz.asc (text) gpg --detach-sign release-2.4.0.tar.gz # produces release-2.4.0.tar.gz.sig (binary) # verify either with: gpg --verify release-2.4.0.tar.gz.sig release-2.4.0.tar.gz
// in PGPony The Decrypt tab handles incoming detached signatures — share both the original file and the .sig file into PGPony and the verify flow pairs them automatically. Producing detached signatures on release artifacts typically happens on a desktop with gpg since that's where your build artifacts live.

Related terms

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play