You can create a detached signature with GnuPG (GPG), which means you create a separate signature file, next to the actual file, which can then be used to verify the file’s integrity.

The official GnuPG documentation would tell you:

gpg --output doc.sig --detach-sig doc

However, there’s a much easier way:

gpg --detach-sign myfile

If you have multiple keys, you can specify the correct one to use with:

gpg -u [email protected]example.com --detach-sign myfile

Instead of the email, you can specify the key ID or fingerprint, etc. If you specify nothing, your default key will be used.

By default, the signature will be put in a binary file of the same name, but with a .sig appended.

If you instead want to have the signature “ASCII armored” (text instead of binary), add the option -a like so:

gpg --detach-sign -a myfile

Which will output to myfile.asc instead of myfile.sig. You can also specify your key with -u like above.

To verify a signature, do:

gpg --verify myfile.sig

Or myfile.asc, depending on what you used.

That’s all there is to it! Consider donating a coffee if this helped you. (: