diff --git a/0publish b/0publish
index aa0b8c2..7ef1453 100755
--- a/0publish
+++ b/0publish
@@ -20,6 +20,7 @@ parser.add_option("-c", "--create", help="create file if nonexistant", action='s
 parser.add_option("-d", "--add-digest", help="add extra digests", action='store', metavar='ALG')
 parser.add_option("-e", "--edit", help="edit with $EDITOR", action='store_true')
 parser.add_option("-k", "--key", help="key to use for signing")
+parser.add_option("--gpg-passphrase", help="Use PASS to unlock the private GPG key", metavar="PASS")
 parser.add_option("-l", "--local", help="deprecated; use --add-from instead", dest='add_from', metavar='LOCAL')
 parser.add_option("--manifest-algorithm", help="select algorithm for manifests", action='append', metavar='ALG')
 parser.add_option("--set-interface-uri", help="set interface URI", action='store', metavar='URI')
@@ -197,7 +198,7 @@ try:
 
 	# Write it back out
 	if not data.endswith(b'\n'): data += b'\n'
-	sign_fn(interface, data, key)
+	sign_fn(interface, data, key, options.gpg_passphrase)
 
 	info("Wrote '%s'", interface)
 
diff --git a/signing.py b/signing.py
index 07abfa9..78a058e 100644
--- a/signing.py
+++ b/signing.py
@@ -53,28 +53,29 @@ def write_tmp(path, data):
 
 	return tmp
 
-def run_gpg(default_key, *arguments):
+def run_gpg(default_key, gpg_passphrase, *arguments):
 	arguments = list(arguments)
+	if gpg_passphrase is not None:
+		arguments = ['--passphrase', gpg_passphrase] + arguments
 	if default_key is not None:
-		arguments = ['--default-key', default_key] + arguments
-	arguments.insert(0, '--use-agent')
+		arguments = ['--local-user', default_key] + arguments
 	arguments.insert(0, 'gpg')
 	import subprocess
 	if subprocess.call(arguments):
 		raise SafeException("Command '%s' failed" % arguments)
 
-def sign_unsigned(path, data, key):
+def sign_unsigned(path, data, key, gpg_passphrase):
 	support.portable_rename(write_tmp(path, data), path)
 
-def sign_xml(path, data, key):
+def sign_xml(path, data, key, gpg_passphrase):
 	tmp = write_tmp(path, data)
 	sigtmp = tmp + '.sig'
 	try:
-		run_gpg(key, '--detach-sign', '--output', sigtmp, tmp)
+		run_gpg(key, gpg_passphrase, '--detach-sign', '--output', sigtmp, tmp)
 	finally:
 		os.unlink(tmp)
 	with open(sigtmp, 'rb') as stream:
-		encoded = base64.encodestring(stream.read())
+		encoded = base64.encodebytes(stream.read())
 	os.unlink(sigtmp)
 	sig = b"<!-- Base64 Signature\n" + encoded + b"\n-->\n"
 	support.portable_rename(write_tmp(path, data + sig), path)
@@ -96,8 +97,9 @@ def export_key(dir, fingerprint):
 	key_file = os.path.join(dir, keyID + '.gpg')
 	if os.path.isfile(key_file):
 		return
-	with open(key_file, 'wb') as key_stream:
-		stream = os.popen("gpg -a --export '%s'" % fingerprint, mode = 'rb')
-		shutil.copyfileobj(stream, key_stream)
+	with open(key_file, 'w') as key_stream:
+		stream = os.popen("gpg -a --export %s" % fingerprint, mode = 'r')
+		data = stream.read()
+		key_stream.write(data)
 		stream.close()
 	print("Exported public key as '%s'" % key_file)