PGP Suite: Sign, Verify & Generate Keys (Client‑Side) – Free Tool | 8gwifi.org

PGP Suite: Sign, Verify & Generate Keys

Create and verify signatures, and generate keys — all client‑side

Private: All signing happens locally using OpenPGP.js v5. Your private key and passphrase never leave your device.
Need verification? Use PGP File Signature Verification or the main Signature Verifier.
Message
PGP Private Key
Key is processed locally and never uploaded.
Passphrase
Tips
  • Use a long, unique passphrase.
  • Share only the signed output; keep your private key secret.
  • Verify here: Verify Signatures.
PGP Overview

PGP (RFC 4880) provides confidentiality (encryption), authenticity (signatures), and integrity.

  • Keys: Public (share) + Private (keep secret). Verify the fingerprint over a trusted channel.
  • Signing: Proves author and protects from tampering; does not hide content.
  • Encryption: Hides content; does not prove author unless also signed.
  • Types: Cleartext signatures (inline), Detached signatures (.asc/.sig), Attached/opaque signatures.
  • Formats: .asc (armored text), .pgp/.gpg (binary).
  • Trust: Direct trust, Web of Trust, WKD/HKP discovery.
  • Key Hygiene: Use strong passphrases, keep revocation cert offline, rotate/expire keys, prefer Ed25519 for signing.

Common issues: invalid signature (wrong key/tampered), wrong passphrase, mixed line-endings.

References: RFC 4880, OpenPGP.js, GnuPG
About & Trust
  • Author: Anish Nath (Security Engineer)
  • Library: OpenPGP.js v5.11.2 (client-side only)
  • Data handling: Keys and files never leave your device
  • Updated: 2025-11-25
References: RFC 4880, OpenPGP.js Docs, GnuPG Docs
Select File
Drag & Drop file here

or click to browse

PGP Private Key
Passphrase
Signature Format
Good to Know
  • Detached signature does not modify the original file.
  • Share both the file and the signature with the recipient.
  • Recipients can verify with File Signature Verify.
Verify Cleartext Signed Message
Signer Public Key
Verify File with Detached Signature
Drop file here

or click to browse

Drop signature here

or click to browse

Signer Public Key
Verification Tips
  • Always confirm the public key fingerprint via trusted channels.
  • Cleartext verification extracts the original message if valid.
  • Detached signatures require both original file and signature.
Identity
Algorithm
Ed25519 offers smaller keys and faster operations; RSA maintains broad compatibility.
Passphrase
Passphrase is required.
Use a long, unique passphrase (20+ chars recommended).
Key Safety
  • Backup your private key and passphrase securely.
  • Share only the public key; keep private key secret.
  • Consider generating a revocation certificate.

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.
Quick Access
PGP FAQ

Q: What is the difference between cleartext and detached signatures?
A: Cleartext signatures keep the message human‑readable with an inline signature block; detached signatures are separate .asc/.sig files used to verify any file without changing it.

Q: How do I verify a signed message?
A: Paste the signed text and the signer’s public key in the Verify tab and click Verify. You’ll see validity, signer KeyID, fingerprint, UID and the signature time.

Q: How do I verify a file with a detached signature?
A: Select the original file and the .asc/.sig signature, paste the signer’s public key, then verify. The suite lists each signature and status.

Q: Can I recover my private‑key passphrase if I forget it?
A: No. Passphrases are not recoverable. Generate a new key pair and distribute the new public key; revoke the old key if possible.

Q: Is this secure? Do keys leave my device?
A: All operations happen client‑side in your browser using OpenPGP.js. Keys and files never leave your device.

Q: How do I confirm I have the right public key?
A: Compare the fingerprint over a trusted channel (in‑person, voice, QR, business card) before trusting signatures or encrypting to the key.

Q: Can I sign with multiple keys or add notations?
A: Advanced options like multi‑sign and notations are planned. For now, you can sign with one key and verify multi‑signature messages.