The problem for us is how to automate the signing process, since the encrypting and sending of the files is usually handled through scripts called by cron. To use the private key, in this case for the signature, normally requires the use of a passphrase. To not have a passphrase on a private key would allow anyone to use that private key and would render the whole process pointless. GPG does have a --batch option, which tells gpg to not prompt the user for any info, but this just causes the gpg command to fail. The GPG FAQ does have an entry that addresses this problem, but it is so terse that it leaves out some significant details.
Here, then, is a shortmodified version of the FAQ answer, that includes the left-out parts; followed by a longer version that explains the process in greater detail.
# gpg --edit-key "Petre Scheie"
gpg --list-keys
/home/pscheie/.gnupg/pubring.gpg
gpg --homedir ~/.gnupg.insec -s -r "Mohammad Imam" --default-key 30B8F215 -o file.txt.gpg -e file.txt
--------------------------------
pub 1024D/05B27CE2 2004-03-12 Petre Scheie (created 10:43 3-12-04)
sub 1024g/F8DEDB3D 2004-03-12
sub 1024D/30B8F215 2004-03-12
/home/pscheie/.gnupg/pubring.gpg
pub 1024D/E2DBCA66 2003-04-11 Mohammad Imam (Oracle DBA)
pub 1024D/FEE0FDA8 2004-03-11 Petre Two (second ID for gpg testing)
--------------------------------
pub 1024D/05B27CE2 2004-03-12 Petre Scheie (created 10:43 3-12-04)
sub 1024g/F8DEDB3D 2004-03-12
sub 1024g/217F8766 2003-04-11
sub 1024g/C169F4E8 2004-03-11
In the above example, it's the first key pair, for Petre Scheie, that we are interested in. The first column indicates whether it's a primary (pub) or subordinate (sub) key. I'm not sure what the difference is, especially with the public keys from other people that have been imported, in this case, Mohammad Imam and Petre Two. The second column indicates the size of the key; in this case, they're all 1024-bit. The third column is the important one, and is easy to overlook as it is the single letter right next to the size. In the example above, the key type is either D or g. The D stands for DSA and is for signing; the g stands for El Gamal and is for encrypting. The fourth column, which is separated from the third column by the slash, (why they use a separator here and nowhere else escapes me) is the key ID. The fifth column shows when the key was created. The sixth column has three parts: the person's name, a comment, and an email address, any of which can be used when you're telling GPG which key you want to edit. Generally, I find it easiest to use the key ID (column four) or the person's name in quotes six when telling GPG which key I'm interested in. In the GPG documentation, they seem to use the email address more frequently.
Run gpg with the --edit-key option and tell it which key you want to edit.
gpg --edit-key "Petre Scheie"
At the Command> prompt, type 'addkey'. It will ask for your secret key--this is to prevent someone else from adding keys to your ring. Next it will ask what kind of key to add. Choose DSA (sign only). And for the other questions, just use the default answers. Once back at the Command> prompt, type 'save' to save and exit. If you run 'gpg --list-keys' now, you'll see your new signing key:
cacsdv01:/home/pscheie >gpg --list-keys
/home/pscheie/.gnupg/pubring.gpg
--------------------------------
pub 1024D/05B27CE2 2004-03-12 Petre Scheie (created 10:43 3-12-04)
sub 1024g/F8DEDB3D 2004-03-12
sub 1024D/30B8F215 2004-03-12
gpg --export-secret-subkeys --no-comment 30B8F215 >secring.auto
Your secret keys are stored in ~/gnupg/secring.gpg. The reason you need to export the secret ring, instead of just copying it and working on that copy, is that --export-secret-keys will strip out all the secret parts of your primary key, which are, near as I can tell, the first two entries you see when you list your keys; that is, the D key and the g key. This is important for security reasons. If you didn't strip those parts out, anyone could get access to all your keys, including those used to decrypt files and sign files, without a passphrase, which would defeat the whole purpose of encrypting the files.
mkdir /tmp/gpg
cp ~/secring.auto /tmp/gpg/
cp ~/.gnupg/pubring.gpg /tmp/gpg/
cd /tmp/gpg
gpg --homedir . --edit 30B8F215
At the Command> prompt, use the 'key 2' command to indicate that it is the second subkey that you want to edit. (The pub key isn't counted, for whatever reason.) GPG will put an asterisk by the selected key.
Command> key 2
pub 1024D/05B27CE2 created: 2004-03-12 expires: never trust: u/u
sub 1024g/F8DEDB3D created: 2004-03-12 expires: never
sub* 1024D/30B8F215 created: 2004-03-12 expires: never
(1). Petre Scheie (created 10:43 3-12-04)
At the prompt, type 'passwd'. First you'll be prompted for your private key passphrase, which is needed in order to gain the rights to change passwords. Then you'll be asked for the new passphrase for they signing key. Just hit Enter, and again when it asks you to confirm the new passphrase. GPG will tell you using a blank passphrase is a bad idea, which it is, but obviously you've already considered the potential perils and concluded it's a reasonable risk. ;-) Then type 'save' to save and exit.
Command> passwd
Secret parts of primary key are not available.
You need a passphrase to unlock the secret key for
Enter the new passphrase for this secret key.
You don't want a passphrase - this is probably a *bad* idea!
Do you really want to do this? y
Command> save
cd
cp /tmp/gpg/secring.gpg .gnupg.insec/
gpg --homedir ~/.gnupg.insec -s -r "Mohammad Imam" --default-key 30B8F215 -o outputfile.gpg
-e file.txt
The --homedir option tells GPG to look in .gnupg.insec for the keys to be use; -s means
sign the file with your
private key so that the recipient will be able to verify that you actually created the file.
-r indicates the recipient, that is, which public key to use to encrypt the file. --default-key
says which key to use for the signing (see Troubleshooting below); this is a really
important piece that the FAQ leaves out; if you don't specify the signing key, GPG
will just use the default key, which won't work because all the necessary secret parts were
removed from the default key in the export stage. -o indicates the name
to be used for the encrypted file that will be created; and -e means encrypt the file.
This syntax allows you to keep your exisiting .gnupg directory to be used for more secure
operations in which interacting with GPG to encrypt the files isn't a problem. In other words,
the default operation of GPG will require the user to have passphrases, but for just signing
a file within a batch script, the .gnupg.insec/ directory can be used.
user: "Petre Scheie (created 10:43 3-12-04)
1024-bit ELG-E key, ID F8DEDB3D, created 2004-03-12
cp .gnupg .gnupg.insec
gpg: Signature made Fri Mar 12 14:05:18 2004 CST using DSA key ID 30B8F215
gpg: Good signature from "Petre Scheie (created 10:43 3-12-04)
in the output. Or you can use --verify-files, which seems to produce output only if there are errors.