// glossary / clearsigned-message

Clearsigned message.

A PGP message where you can read the original text without doing anything special, and a signature is attached at the bottom proving who wrote it. Used for public announcements, mailing-list posts, software release notes, and anywhere you want authenticity without confidentiality.

// definition

A clearsigned message is an OpenPGP message that wraps a piece of plaintext with a signature block, all in one armored unit starting with -----BEGIN PGP SIGNED MESSAGE-----. The text is plainly readable; the signature is verifiable against the signer's public key.

What it is.

Most discussions of PGP focus on encryption — taking plaintext and making it unreadable to anyone but the recipient. Signing is the other half: taking plaintext and attaching proof of who wrote it. A clearsigned message does the latter and only the latter.

The structure has three parts:

A header announcing the hash algorithm used (e.g. Hash: SHA512).
The plaintext content, still readable as-is.
An armored signature block at the bottom.

Anyone can read the message without doing anything cryptographic. Anyone with the signer's public key can additionally verify the signature is valid and the text hasn't been modified.

Why it matters.

Clearsigning is the right tool when you want authenticity without confidentiality:

Public announcements. A maintainer announces a CVE; readers need to know it really came from the maintainer, but the content is supposed to be public.
Mailing-list posts. Sign your post so subscribers can verify; encryption would defeat the point of a mailing list.
Release notes. Signed release notes alongside signed binaries; the notes are public-facing.
Statements of authorship. Transition statements (announcing key rotation), key-distribution claims, position statements — any content where "this came from me" matters but "only the recipient can read this" doesn't.

Compared to detached signatures, the convenience is that text and signature travel together in one block — no risk of losing the signature file or pairing it with the wrong content.

// a clearsigned message

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The 2.4.0 release is now available. I'm rotating signing keys to a new Ed25519 identity. The new fingerprint is: 5555 6666 7777 8888 9999 AAAA BBBB CCCC DDDD EEEE This message is signed with my old key (fingerprint AAAA...4444). -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTaaa... [base64 signature] =t9oG -----END PGP SIGNATURE-----

// in PGPony The Encrypt tab's Mode picker has a Sign-only option that produces clearsigned output instead of encrypted ciphertext. The Decrypt tab automatically recognizes incoming clearsigned blocks and shows the plaintext alongside signature verification status.

Related terms

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play