AgePony PGPony ↗ download
// guide / verify-an-sshsig-signature

How to verify an SSHSIG signature.

Confirm a file is authentic and unmodified. AgePony 2.0 verifies SSHSIG signatures in-app, and the same signatures verify with stock OpenSSH anywhere.

~2 minutes iOS / Android Signer's public key
// at a glance
  1. Get the file, its .sig, and the signer's key
  2. Open AgePony, choose Verify
  3. Provide all three
  4. Read the result
  5. Trust only on a fingerprint match
Prerequisites
  • AgePony 2.0 installed
  • The signed file and its detached .sig
  • The signer's SSH public key
// step 01

Gather the three inputs.

You need the original file, the detached .sig, and the signer's public key. The public key is what ties the signature to a known identity.

// step 02

Open the Verify flow.

In AgePony choose Verify. Provide the file, the signature, and the signer's public key.

// step 03

Run verification.

AgePony checks the signature against the file under the agepony namespace and reports whether it is valid.

// step 04

Read the result.

A valid result means the file was signed by the holder of that public key and has not changed since. An invalid result means the file was altered or the signature does not match the key.

// step 05

Confirm the signer's identity.

Validity is against the public key you supplied. Make sure that key really belongs to who you think — verify its fingerprint through an independent channel.

Verify it worked.

  • AgePony displays the signer's key fingerprint.
  • Valid, invalid, and key-mismatch are clearly distinguished.
  • ssh-keygen -Y verify on a desktop gives the same result.

Common questions.

What does valid actually prove?

That the file was signed by the private key matching the public key you provided, and is unmodified. It does not prove who owns that key — confirm the fingerprint separately.

Can I verify without AgePony?

Yes — any OpenSSH 8.0+ system verifies with ssh-keygen -Y verify and an allowed_signers file.

What namespace is used?

agepony. Desktop verification must pass -n agepony.

What if verification fails?

Do not trust the file. It was either modified or not signed by the expected key.

Next steps.

Signing

Sign a file with your SSH key
Glossary

SSHSIG
Glossary

Detached signature
Glossary

ssh-ed25519

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store
Get it on Google Play