Status not_signed despite signing

[MarcelOnGit]

When querying the security.txt, I get the recommendation that I should still sign the file, although a signature is available.

I then checked the signing with the following script and found no error:

# URLs of the files
SECURITY_TXT_URL="https://my.domain/.well-known/security.txt"
SIGNATURE_URL="https://my.domain/.well-known/security.txt.asc"
KEY_URL="https://my.domain/pgp-key.asc"

# Names of the local files
SECURITY_TXT="security.txt"
SIGNATURE="security.txt.asc"
KEY="pgp-key.asc"

# Download files
curl -o $SECURITY_TXT $SECURITY_TXT_URL
curl -o $SIGNATURE $SIGNATURE_URL
curl -o $KEY $KEY_URL

# Check the MIME type of the signature file
mime_type=$(curl -sI $SIGNATURE_URL | grep -i "Content-Type" | awk '{print $2}' | tr -d '\r')

if [ "$mime_type" != "application/pgp-signature" ]; then
  echo "Invalid MIME type for the signature file: $mime_type"
  exit 1
fi

# Import GPG key
gpg --import $KEY

# Verify signature
gpg --verify $SIGNATURE $SECURITY_TXT

# Show result
if [ $? -eq 0 ]; then
  echo "Signature is valid."
else
  echo "Signature is invalid."
fi

What could be the reason that sectxt returns not_signed as status or recommendation?

My security.txt looks like this:

Contact: mailto:security@my.domain
Expires: 2025-07-23T16:36:00.000Z
Encryption: https://my.domain/.well-known/openpgpkey/hu/t5s8ztdbon8yzntexy6oz5y48etqsnbb
Encryption-Key: https://my.domain/pgp-key.asc
Preferred-Languages: en, de
Canonical: https://my.domain/.well-known/security.txt
Signature: https://my.domain/.well-known/security.txt.asc

[bwbroersma]

An "OpenPGP cleartext signature" should be used, not a detached signature, see RFC 9116 § 2.3. Digital Signature.

[MarcelOnGit]

Thanks for the tip. That was the cause.