sigmark

GPG signing for static site markdown content. Works with Hugo, Jekyll, Zola, Eleventy, and any static site generator that uses YAML front matter.

Install

pip install sigmark

Requires gpg on your PATH.

Usage

# Sign all markdown in current directory (uses default GPG key)
sigmark sign

# Sign a specific directory
sigmark sign content/

# Use a specific GPG key
sigmark sign --key lex@metafunctor.com content/

# Re-sign everything (including already-signed)
sigmark sign --force

# Check signing status (instant, uses body hash)
sigmark status content/
sigmark status --json content/

# Verify signatures cryptographically
sigmark verify content/

# Remove all signatures
sigmark strip content/

# Dry run (preview without changes)
sigmark -n sign content/

What it does

Signs the body of markdown files (everything below the --- front matter) with GPG and stores the signature in front matter:

title: "My Post"
date: 2026-02-17
tags: ["cryptography"]

  

Only the body is signed. You can freely change tags, categories, and other metadata without invalidating the signature.

Staleness detection

A SHA-256 body hash is stored at sign time. sigmark sign (without --force) skips files whose body hasn’t changed, making it cheap to run on every deploy. sigmark status uses the hash for instant staleness detection without invoking GPG.

Commands

All commands default to current directory. Directories are walked recursively for .md files with YAML front matter. Global flags: -v (verbose), -n (dry-run).

Hugo integration

Copy hugo/layouts/partials/gpg-badge.html into your site’s layouts/partials/, then:

{{ partial "gpg-badge.html" . }}

Renders a “GPG Signed” badge with expandable signature details.

Manual verification

# Extract body (everything after second ---) to body.txt
# Copy gpg_sig value to sig.asc
gpg --verify sig.asc body.txt

License

MIT