Isn't there a more flexible, less obtrusive approach? Maybe not GPG but something else?
BSD signify. You still have to exchange the public key at some point, but there's no keyring etc.
toolname --verify --pub path/to/public.key --sig path/to/signature path/to/file-to-verify
would be
signify -V -p path/to/public.key -x path/to/signature path/to/file-to-verify signify is quite easy to use. The complete relevant usage can be explained in four examples, I think; I'll just cite Ted Unangst's and Marc Espie's man page here:
Create a new key pair:
signify -G -p newkey.pub -s newkey.sec
The newkey.pub public key is very short. It looks like this:
RWQihFKGTsDkMj9lWO3W+lIBNgooJtWDgcIT9uD3rd6GGz7ta38UPQMd and could easily be included e.g. in a QR code with your ink signature across it, if you need non-digital distribution.
Sign a file, specifying a signature name:
signify -S -s key.sec -m message.txt -x msg.sig
If you don't specify -x, then it would have been message.txt.sig.
Verify a signature, using the default signature name:
signify -V -p key.pub -m generalsorders.txt
If you use sha256sum --tag file1 file2… > SHA256, then signify -S -s path/to/private.key -m SHA256 -e, and send SHA256.sig:
Verify a release directory containing SHA256.sig and a full set of release files:
signify -C -p /etc/signify/openbsd-76-base.pub -x SHA256.sig
Gzip archives are special, because you can embed the signature in the archive itself without affecting the compressed data.
Sign a gzip archive:
signify -Sz -s key-arc.sec -m in.tgz -x out.tgzVerify a gzip pipeline:
ftp url | signify -Vz -t arc | tar ztf -