diff --git a/cmd/pm/main.go b/cmd/pm/main.go
index 0c972ed..513c002 100644
--- a/cmd/pm/main.go
+++ b/cmd/pm/main.go
@@ -90,7 +90,11 @@ func main() {
 			if signID == "" {
 				fatalf("must set PM_PGP_ID\n")
 			}
-			if err := keyring.Sign(root, signID, os.Stdin, os.Stdout); err != nil {
+			e, err := keyring.FindSecretEntity(root, signID)
+			if err != nil {
+				fatalf("find secret key: %v\n", err)
+			}
+			if err := keyring.Sign(e, os.Stdin, os.Stdout); err != nil {
 				fatalf("signing: %v\n", err)
 			}
 		case "verify", "v":
diff --git a/keyring/keyring.go b/keyring/keyring.go
index 43dc428..2fffb94 100644
--- a/keyring/keyring.go
+++ b/keyring/keyring.go
@@ -184,20 +184,8 @@ func Import(root string, w io.Reader) error {
 }
 
 // Sign takes an id and a reader and writes the signature for that id to sig.
-func Sign(root, id string, in io.Reader, sig io.Writer) error {
-	if err := ensureDir(root); err != nil {
-		return errors.Wrap(err, "can't find or create pgp dir")
-	}
-	srn, prn := getNames(root)
-	secs, _, err := getELs(srn, prn)
-	if err != nil {
-		return errors.Wrap(err, "getting existing keyrings")
-	}
-	e, err := findKey(secs, id)
-	if err != nil {
-		return errors.Wrapf(err, "finding key %q", id)
-	}
-	if err := openpgp.ArmoredDetachSign(sig, e, in, nil); err != nil {
+func Sign(key *openpgp.Entity, in io.Reader, sig io.Writer) error {
+	if err := openpgp.ArmoredDetachSign(sig, key, in, nil); err != nil {
 		return errors.Wrap(err, "armored detach sign")
 	}
 	fmt.Fprintf(sig, "\n")