Unfortunately, this is a dilemma. To unlock a private key (which is needed to digitally sign a message), a passphrase is generally required. That passphrase must be passed to GnuPG each time a message is to be signed. To be able to sign messages from a program, there are basically four options.
- Use a private key without a passphrase;
- Prompt the user for a passphrase each time a message is sent;
- Cache a passphrase for the duration of a session;
- Cache the passphrase in a database.
Obviously, using a private key that does not have a passphrase seems like an extremely bad idea. However section 4.14) How can I use GnuPG in an automated environment? of the GnuPG Frequently Asked Questions states:
You should use the option --batch and don't use passphrases as there is usually no way to store it more securely than on the secret keyring itself.
I guess the best way to go ahead is to create a trusted key and a signing key. Remove the passphrase from the signing key, and sign it with the trusted key. This way, the validity of the signing key can be given a little bit more credibility.