How to cleartext-sign a statement so anyone can prove you wrote it
- Step 1Select the sign action — Set Action to
Sign message(it is the default). The form shows a message box, a private-key box, and a passphrase field. There is no separate identity picker — the signing identity comes from the key you paste. - Step 2Write or paste the exact statement — Type the full statement into the message box exactly as you want it published, including line breaks and punctuation. The signature covers this text verbatim, so anything you add or remove afterward will break verification.
- Step 3Paste your private key — Paste your
-----BEGIN PGP PRIVATE KEY BLOCK-----into the key box. This must be a private (not public) key block — verification later uses the matching public key. The tool keeps no copy after this session. - Step 4Enter the protecting passphrase — Type the passphrase that protects the pasted private key. Signing first decrypts the key with this passphrase; a wrong or missing passphrase makes the sign fail with a decrypt error.
- Step 5Sign and download — Run sign to download
signed-message.asc— an armored cleartext-signed block with your statement still readable and a signature appended. The original text stays in plain view above the signature block. - Step 6Publish the statement and your public key — Post the
signed-message.ascblock wherever the statement belongs, and make your public key available so others can verify it. Anyone can confirm authorship by pasting both into the verify action or runninggpg --verify.
Sign inputs and output
What the sign action reads and produces, from the tool's processor. All three inputs are required; sign uses no public key.
| Field | Role | Required? | Notes |
|---|---|---|---|
message | The statement text to sign | Yes | Empty throws No message provided. |
armoredKey | Your -----BEGIN PGP PRIVATE KEY BLOCK----- | Yes | Empty throws Paste a PGP private key block. |
passphrase | The passphrase protecting that private key | Yes (if the key is protected) | Wrong/missing passphrase → decrypt error |
| Output | Armored cleartext-signed block | — | Downloads as signed-message.asc; text stays readable |
Cleartext signing vs other ways to prove authorship
Why a PGP cleartext signature beats the informal alternatives for a public statement. Only the signature gives cryptographic, after-the-fact verifiability.
| Method | Readable text? | Detects edits? | Verifiable by anyone? |
|---|---|---|---|
| Plain text with your name typed | Yes | No | No — anyone can forge it |
| Screenshot of the statement | Yes (as image) | No | No — trivially edited |
| Encrypted PGP message | No (scrambled) | On decrypt | Only those with the key |
| PGP cleartext signature (this tool) | Yes | Yes, per character | Yes — anyone with your public key |
Where signing runs and how it's gated
Execution and access facts for the sign action, from the schema and registry. Signing reads pasted text, so the family's per-file size limits never apply.
| Property | Value | Source / note |
|---|---|---|
| Execution | Browser-only (OpenPGP.js WASM) | Listed in BROWSER_ONLY_SECURITY_SLUGS |
| Secrets handled | Private key + passphrase, in-tab only | Decrypted client-side; never transmitted |
| Public API | Returns 400 with a pointer to the web tool | No server case exists for this slug |
| Minimum tier | Developer | minTier: developer in the registry |
| File-size limit | Not applicable | Input is text, so per-file caps never apply |
Cookbook
Concrete signing runs for public statements. The armored blocks below are truncated — your real key and signature are far longer. Everything happens in your browser tab.
Sign a maintainer hand-off notice
Action sign. The statement stays fully readable; a signature is appended so the community can confirm the real maintainer wrote it.
Action: sign
Message: As of 2026-06-13 I am handing maintenance of
this project to @newmaintainer. Trust their
commits going forward. — Dana Reyes
Private key: -----BEGIN PGP PRIVATE KEY BLOCK-----...
Passphrase: ••••••••••••
Download → signed-message.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
As of 2026-06-13 I am handing maintenance ...
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----Sign an account-verification message
Use a signed statement to link a new account or profile to a key people already trust. They verify it against your known public key.
Action: sign
Message: This confirms the account @dana_new belongs
to me. My key fingerprint ends A1B2 C3D4
E5F6 0718.
Private key + passphrase pasted
Download → signed-message.asc (post on the new profile)
Readers verify with your existing public key.Sign a short policy declaration with line breaks intact
The signature covers the text verbatim, including newlines. Format the statement exactly as you want it before signing.
Action: sign
Message: SECURITY POLICY
- Report issues to security@example.org
- We respond within 72 hours
- PGP key below
Private key + passphrase pasted
The signed block preserves the three bullet lines
exactly; editing any of them later breaks verify.Re-verify your own statement before publishing
Round-trip the signed block through the verify action with your public key to confirm it checks out before you post it publicly.
Action: verify
Signed message: (the signed-message.asc you just made)
Public key: your -----BEGIN PGP PUBLIC KEY BLOCK-----
Result: { "valid": true, "keyId": "a1b2c3d4e5f60718",
"text": "SECURITY POLICY ..." }
Good → safe to publish.Show readers how to check it with gpg
Include verification instructions alongside the statement so anyone can confirm authorship without trusting your word.
# Anyone can run: $ gpg --import dana-public.asc $ gpg --verify statement.asc gpg: Good signature from "Dana Reyes <dana@example.org>" The last 16 hex of the key match the verify-action keyId.
Edge cases and what actually happens
Sign with the message field empty
No message providedThe sign path throws No message provided. when the message box is empty. A cleartext signature needs at least one character of text — there is no concept of signing an empty statement.
Sign without pasting a private key
Paste a PGP private key blockSign throws Paste a PGP private key block. if the key box is empty. There is no saved-key list to fall back on, so every sign needs your armored private key pasted in that session.
Wrong or missing passphrase
Decrypt errorSigning first decrypts the pasted private key with the passphrase. A wrong passphrase — or leaving it blank when the key is protected — makes OpenPGP.js throw on decryptKey, and the sign fails. Re-enter the exact passphrase the key was created with.
Pasting a public key instead of a private one
Read errorSign calls readPrivateKey on the pasted block, so a -----BEGIN PGP PUBLIC KEY BLOCK----- will not work — you cannot sign with a public key. Paste the matching private key block; the public key is only used later for verification.
Editing the statement after signing
Breaks verificationThe signature covers the exact text, including whitespace and line breaks. Changing one character after signing makes verification report valid: false with Signed digest did not match. Always re-sign from the edited source rather than touching a signed block.
Quoting only part of the signed statement
By design — partial quotes don't verifyA cleartext signature covers the whole block. If someone quotes a fragment of your statement, that fragment alone won't verify — only the complete signed block does. That is the point: it lets readers detect selective or altered quoting.
Signing with an unprotected (no-passphrase) key
Works, but riskyIf your private key was generated without a passphrase, signing succeeds with the passphrase field blank. It works, but the key is unprotected — anyone with the key file can sign statements as you. Prefer a passphrase-protected key for authorship attestation.
Tool is Developer-tier only
Tier-gatedThe registry sets minTier: developer, so Free, Pro, and Pro-media accounts cannot open the sign action — they see an upgrade prompt. Signing shares the same Developer gate as generate and verify.
Trying to sign through the public API
400 rejectedSigning depends on the browser-targeted OpenPGP.js WASM bundle, so the server engine has no case for this slug and the API runner returns 400 with a pointer back to the web tool. Drive the browser UI; the server cannot sign on your behalf.
Expecting the statement to be encrypted, not just signed
Out of scopeA cleartext signature leaves the statement fully readable — it proves authorship, it does not hide the words. If you need to keep content confidential at rest, use aes-256-encryptor; this tool does not encrypt message bodies.
Frequently asked questions
Will my statement still be readable after I sign it?
Yes. This is a cleartext signature: the output keeps your statement in plain text and appends a -----BEGIN PGP SIGNATURE----- block. Readers can read the statement without any key; they only need your public key to confirm you wrote it and that it hasn't changed.
How does a signature prove I wrote the statement?
The signature is made with your private key and can only be produced by whoever holds that key. Anyone with your matching public key can confirm the signature is valid for the exact text. A copied name or an altered word won't pass that check, so it proves authorship far better than typing your name.
Does my private key or passphrase leave my device?
No. Signing runs OpenPGP.js in your browser tab — the key is decrypted and used locally. The slug is on the browser-only list and the server API returns 400, so nothing is transmitted. Your private key, passphrase, and statement are discarded when you close the tab.
How do I sign a statement?
Set Action to Sign message, type the statement in the message box, paste your -----BEGIN PGP PRIVATE KEY BLOCK-----, and enter its passphrase. The tool downloads signed-message.asc — your statement in plain text with a signature appended.
Can people verify my statement without special software?
Yes. They can paste your signed block and your public key into the verify action of this tool, which runs in the browser with no install. If they have GnuPG, gpg --verify works too, and the key ID it shows matches the one the verify action returns.
What happens if someone edits my signed statement?
Verification fails. The signature covers the exact text, so changing even one character makes a verifier report valid: false with Signed digest did not match. That is the safeguard — it lets readers detect any alteration or selective quoting of your statement.
Can I sign with a key I made somewhere else?
Yes. The sign action accepts any armored OpenPGP private key you paste, along with its passphrase — for example one you generated in GnuPG or on another device. There is no import-and-store step; the key is used for that one sign and not retained.
Why did signing fail with a passphrase error?
Signing decrypts your private key with the passphrase you enter before it can sign. If the passphrase is wrong, or you left it blank for a passphrase-protected key, OpenPGP.js throws on decryptKey and the sign fails. Re-enter the exact passphrase the key was created with.
Can I sign with a public key?
No. Signing requires the private key block, because only the private key can create a signature. If you paste a public key, the sign action's readPrivateKey step fails. The public key is only used later, by you or others, to verify the signature.
Is the signed statement compatible with other PGP tools?
Yes. OpenPGP.js emits standard OpenPGP armor, so signed-message.asc verifies with GnuPG (gpg --verify), Sequoia, Mailvelope, and any OpenPGP-compliant client, as well as this tool's own verify action.
What tier do I need, and is there a size limit?
It is a Developer-tier tool. There is no file-size limit because you paste the statement and key as text rather than uploading a file, so the security family's per-file caps do not apply to signing.
Which JAD tools pair well with signing a statement?
To attest to a file's exact contents inside your statement, embed a hash from multi-hash-fingerprinter. To confirm a referenced file is byte-identical to a reference copy, use file-integrity-monitor. To check the passphrase guarding your signing key is strong, run it through password-entropy-auditor. For at-rest file encryption, use aes-256-encryptor.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.