How to check a pgp signed message in your browser, no software to install
- Step 1Set the action to verify — Choose
Verify signed messagein the Action dropdown. The form collapses to the two fields verification needs — a signed-message box and a public-key box. There is no passphrase or private-key field for this action. - Step 2Paste the whole signed block — Copy the message from
-----BEGIN PGP SIGNED MESSAGE-----through-----END PGP SIGNATURE-----— including theHash:header and the signature — into the first textarea. Partial blocks fail to parse; the armor must be intact. - Step 3Paste the sender's public key — Put the signer's
-----BEGIN PGP PUBLIC KEY BLOCK-----into the second textarea. This must be the public key of the person who actually signed — a different key (even a colleague's) will report invalid. - Step 4Run verify — Submit. OpenPGP.js reads both armored blocks, runs the signature check against the cleartext, and returns a JSON result. Nothing about this step contacts a server.
- Step 5Read the verdict — Check
validfirst. Iftrue, confirmkeyIdis the key you expected and thattextis the message you meant to verify. Iffalse,keyIdcarries the OpenPGP error string explaining why. - Step 6Match the key ID to a trusted source — A valid signature only proves the message matches the pasted public key — it does not prove the key belongs to a real person. Compare the returned 16-hex
keyIdagainst a fingerprint the sender published independently before you trust the identity.
Verify inputs and outputs
Exactly what the verify action reads and returns, taken from the tool's processor. No private key or passphrase is involved in verification.
| Field | Role | Required? | Notes |
|---|---|---|---|
signedMessage | The -----BEGIN PGP SIGNED MESSAGE----- block | Yes | Empty input throws Paste the signed cleartext message. |
publicKey | The signer's -----BEGIN PGP PUBLIC KEY BLOCK----- | Yes | Empty input throws Paste the signer's public key. |
valid (output) | Whether the signature matches the text and key | — | Boolean; check this first |
keyId (output) | 16-hex signing key, or error string on failure | — | On a bad signature this holds the OpenPGP error, not a key ID |
text (output) | The exact message that was under the signature | — | Read this to confirm what was actually signed |
How to read the verify result
Mapping the JSON verdict to a real-world conclusion. The combination of valid and keyId tells you whether the problem is tampering, the wrong key, or a malformed paste.
| valid | keyId contains | What it means | What to do |
|---|---|---|---|
true | A 16-hex key ID | Signature is genuine for the pasted key; text is unaltered | Confirm the key ID matches a fingerprint the sender published |
false | Signed digest did not match | The text was changed after signing, or paired with the wrong signature | Re-fetch the original signed block; do not trust the message |
false | A key-mismatch / no-signature error | The signature was made by a different key than the public key you pasted | Get the signer's actual public key and re-verify |
| (throws) | Parse error before result | The signed block or public key armor is truncated or malformed | Re-copy the full block including BEGIN/END lines |
Where verification runs and how it's gated
Execution and access facts for the verify action, from the schema and registry. Because input is pasted text, the security family's per-file size limits never apply.
| Property | Value | Source / note |
|---|---|---|
| Execution | Browser-only (OpenPGP.js WASM) | Listed in BROWSER_ONLY_SECURITY_SLUGS |
| Public API | Returns 400 with a pointer to the web tool | No server case exists for this slug |
| Minimum tier | Developer | minTier: developer in the registry |
| Secrets used | None — public key only | Verify never touches a private key or passphrase |
| File-size limit | Not applicable | Input is text, so the 10 MB/100 MB/500 MB/2 GB caps never apply |
Cookbook
Practical verification runs. The armored blocks below are truncated for readability — your real blocks are far longer and must be pasted complete. Every check happens in your browser tab.
Verify a security advisory you received by email
Action verify. Paste the full signed advisory and the vendor's published public key. A valid: true with the expected key ID confirms the advisory is genuine and unedited.
Action: verify
Signed message: -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory CVE-2026-1234: patch by Friday.
-----BEGIN PGP SIGNATURE-----...
Public key: -----BEGIN PGP PUBLIC KEY BLOCK-----...
Result:
{
"valid": true,
"keyId": "a1b2c3d4e5f60718",
"text": "Advisory CVE-2026-1234: patch by Friday."
}Catch a message that was edited after signing
If even one character of the cleartext changed since it was signed, the digest no longer matches. valid comes back false and keyId carries the OpenPGP error string.
Tampered line: ...patch by Monday. (was "Friday")
Action: verify (same public key)
Result:
{
"valid": false,
"keyId": "Signed digest did not match",
"text": "Advisory CVE-2026-1234: patch by Monday."
}
→ Treat the message as untrustworthy; request the original.Spot a wrong-key situation
If you paste a public key that did not make the signature, verification cannot confirm it. The result is invalid, but the error differs from a digest-mismatch — it points to a key/signature mismatch.
Action: verify
(signed by key A, but you pasted public key B)
Result:
{
"valid": false,
"keyId": "<key-mismatch error from OpenPGP>",
"text": "Advisory CVE-2026-1234: patch by Friday."
}
→ Fetch the signer's real public key, then verify again.Confirm the key ID against a published fingerprint
A valid signature proves the message matches the pasted key — not that the key is the right person's. Match the returned 16-hex key ID against a fingerprint the sender posted on their own site.
Verify result keyId: a1b2c3d4e5f60718 Vendor security page lists fingerprint: ABCD 1234 ... A1B2 C3D4 E5F6 0718 Last 16 hex chars match → identity confirmed. If they don't match, the key is not the vendor's.
Cross-check with gpg when you do have it
When GnuPG is available you can confirm the browser verdict matches. The long key ID GnuPG prints ends in the same 16 hex characters this tool returns.
$ gpg --import vendor-public.asc $ gpg --verify advisory.asc gpg: Good signature from "Vendor Security <sec@vendor.example>" gpg: using EDDSA key ...A1B2C3D4E5F60718 Browser verify → "valid": true, "keyId": "a1b2c3d4e5f60718"
Edge cases and what actually happens
Signed block pasted but public key field empty
Paste the signer's public keyVerify throws Paste the signer's public key. when the public-key textarea is empty. You cannot verify a signature without the public key that pairs with the private key that made it — there is no keyserver lookup in this tool.
Public key pasted but signed block empty
Paste the signed cleartext messageIf the signed-message textarea is empty, verify throws Paste the signed cleartext message.. Both inputs are mandatory; the tool will not infer a message from the key.
Message text changed after signing
valid:falseEditing any character of the cleartext breaks the signature. OpenPGP.js reports valid: false and puts Signed digest did not match in keyId. This is the expected, correct behaviour — never edit a signed block in place; ask the sender to re-sign from the source.
Verified against a different person's public key
valid:falseIf the signature was made by key A but you paste key B's public block, the signature cannot be confirmed: valid is false and keyId holds a key/signature mismatch error rather than a key ID. Make sure you have the actual signer's public key.
Truncated or malformed armor
Parse errorOpenPGP.js throws while reading the armor if the BEGIN/END lines, base64 body, or checksum are incomplete. Re-copy the entire block from the first dash of -----BEGIN to the last dash of -----END, with nothing trimmed.
Pasting a detached or encrypted block instead of a cleartext-signed one
Wrong block typeThe verify action calls readCleartextMessage, which expects a -----BEGIN PGP SIGNED MESSAGE----- cleartext block. A -----BEGIN PGP MESSAGE----- (encrypted) or a standalone detached signature is a different format and will fail to parse here. This tool only verifies cleartext signatures.
Valid signature, but the key isn't who you think
By design — verify trust separatelyA valid: true only proves the message matches the public key you pasted. It does not prove the key belongs to the claimed person. Always compare the returned 16-hex keyId to a fingerprint the sender published through a channel you already trust.
Tool is Developer-tier only
Tier-gatedThe registry sets minTier: developer. Free, Pro, and Pro-media accounts cannot open this page — they see an upgrade prompt. Verification shares the same Developer gate as the rest of the tool.
Trying to verify through the public API
400 rejectedVerification runs on the browser-targeted OpenPGP.js WASM bundle, so the server engine has no case for this slug and the API runner returns 400 with a pointer back to the web tool. Drive the browser UI to verify in bulk.
Expecting a saved-key list to pick the public key from
Not in this UIThe shipped interface does not keep a key list — you paste the public key each time you verify, and it is discarded when the tab closes. Keep the sender's public key handy in your own notes if you verify their messages often.
Frequently asked questions
Do I need GnuPG or any software installed to verify a PGP message?
No. The verify action runs entirely in your browser tab using OpenPGP.js. You paste the signed block and the sender's public key, and the tool confirms the signature — there is no GnuPG install, no keyring to manage, and no command line to read.
Does the message or public key get sent to a server?
No. Verification runs on a browser-targeted WASM bundle, so the signed message and the public key never leave the tab. The slug is on the browser-only list and the server API path returns 400, so there is no code that could transmit them.
What exactly does a `valid: true` result prove?
It proves the signature on the message matches the public key you pasted and that the text has not changed since it was signed. It does not by itself prove the key belongs to the claimed person — for that, compare the returned key ID to a fingerprint the sender published independently.
What does the `keyId` field mean?
On success it is the 16-hex signing key ID, which you can match against the sender's published fingerprint. On failure it is the OpenPGP error string explaining why verification failed — for example Signed digest did not match when the text was altered.
Why did a message I trust come back as invalid?
Two common reasons: the cleartext was edited after signing (even one character breaks it), or you pasted the wrong public key. A digest-mismatch error points to tampering or a re-copy problem; a key-mismatch error means the signature was made by a different key than the one you supplied.
Do I need a private key or passphrase to verify?
No. Verification only uses a public key. There is no private-key or passphrase field for the verify action, so there is no secret to enter or expose. Private keys and passphrases are only relevant to the sign and generate actions.
Can I verify an encrypted PGP message or a detached signature here?
No. This action verifies cleartext-signed blocks (-----BEGIN PGP SIGNED MESSAGE-----). Encrypted -----BEGIN PGP MESSAGE----- blocks and standalone detached signatures are different formats that this tool does not handle. It verifies cleartext signatures only.
The block won't parse — what's wrong?
Almost always a truncated copy. OpenPGP.js needs the complete armor, from the first dash of -----BEGIN through the last dash of -----END, including the Hash: header and the full signature block. Re-select and copy the entire message and try again.
Is this compatible with messages signed by other PGP tools?
Yes. OpenPGP.js reads standard OpenPGP armor, so cleartext signatures from GnuPG, Sequoia, Mailvelope, ProtonMail, and this tool's own sign action all verify the same way. The 16-hex key ID it returns matches the last 16 hex digits GnuPG prints for the same key.
What tier do I need, and is there a size limit?
It is a Developer-tier tool. There is no file-size limit because you paste text and armored blocks into textareas rather than uploading files, so the security family's per-file caps do not apply to verification.
How do I know the key I pasted is really the sender's?
Verification can't tell you that on its own — it only confirms the message matches whatever key you supply. Get the sender's public key or fingerprint from a source you already trust (their website, a prior signed message, an in-person exchange) and confirm the returned key ID matches.
Which JAD tools pair well with verifying a signature?
If the signed message contains a file's checksum, recompute it with multi-hash-fingerprinter and compare. To confirm a downloaded artifact is byte-identical to a reference copy, use file-integrity-monitor. To produce your own signed replies, use the sign action described in the developer signing spoke.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.