Make sure the signer\'s key is in your keyring.
Confirm the signer\'s public key is in PGPony. If not, import it first — from a key file, a keyserver lookup by fingerprint, or any channel where their public key is available.
// guide / verify-pgp-signature
How to verify a PGP signature on your phone.
Two minutes to confirm a signed message or file is exactly what the signer sent — unmodified and produced by the secret key paired with their public key. Works for inline (clearsigned) and detached signatures.
// at a glance
- Have the signed content + signer\'s public key
- Import the public key if needed
- Open PGPony, run verify
- Paste or share in the signed content
- Read the result
Prerequisites
- PGPony installed
- The signed content (inline PGP SIGNED MESSAGE block, or a file + detached .sig)
- The signer\'s OpenPGP public key already imported into PGPony
Open the verify flow.
Open PGPony's Decrypt tab. The Decrypt flow handles both encrypted PGP messages and clearsigned (signature-only) blocks — paste either and PGPony detects which operation it is.
Provide the signed content.
For an inline (clearsigned) message — paste the entire block from
-----BEGIN PGP SIGNED MESSAGE----- to -----END PGP SIGNATURE-----
into the Decrypt input and tap Decrypt. PGPony recognizes the clearsigned
structure and runs verification rather than decryption.
For a detached signature on a file — share both the original file and the
.sig file into PGPony. The Decrypt flow pairs them automatically.
Read the verification result.
Three possible outcomes:
- Valid. The signature was produced by the secret key paired with the public key you have, and the content matches.
- Valid but untrusted. Mathematically correct, but you haven\'t marked the signer\'s key as trusted. Set trust once you\'ve verified the fingerprint out-of-band.
- Invalid. The content was modified after signing, or the signature doesn\'t match the public key you have for the signer. Don\'t trust the content.
Important
"Valid" means mathematically valid against the public key you have. It does NOT certify the
key belongs to who you think — that part is on you, via fingerprint verification or a chain
of trust signatures.
Verify it worked.
- PGPony shows a clear signature result.
- The signer\'s fingerprint is displayed for inspection.
- For inline messages, the original content is shown separately, with the signature stripped.
Common questions.
Inline vs detached signatures?
Inline (clearsigned) wraps content and signature in one block with PGP SIGNED MESSAGE markers. Detached signatures are separate .sig files alongside the original. PGPony and most OpenPGP tools handle both.
What does verified actually mean?
The signature was produced by the secret key paired with the public key you have, and the content hasn\'t been modified since signing. Doesn\'t certify the key\'s owner identity — that requires out-of-band fingerprint verification.
Valid but untrusted?
Math checks out but you haven\'t marked the signer\'s key as trusted locally. Trust is your local assertion that the key really belongs to the named identity.
Key not found?
You don\'t have the signer\'s public key. Import it first — from a key file, keyserver search by fingerprint, or any channel that provides the key.
Verify software release signatures?
Yes — common use case. Download the release plus its .sig, transfer both to your phone, share into PGPony for verification. Maintainer\'s public key needs to be imported first.
Next steps.
Get PGPony
Free OpenPGP encryption for iOS and Android. No accounts, no tracking.