diff --git a/NEWS b/NEWS
index fd48d10e..349e217f 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,9 @@
    - Rename `sq key subkey expire`'s `--subkey` argument to `--key`.
    - `sq key expire` and `sq key subkey expire` can now use the
      cert store and the key store.
+   - Add the `--password-file` argument to the `sq sign` command to
+     allow the user to prefill the password cache with a password from
+     a file.
 * Changes in 0.36.0
  - Missing
 * Changes in 0.35.0
diff --git a/src/cli/sign.rs b/src/cli/sign.rs
index ef33ab5c..ddd74c52 100644
--- a/src/cli/sign.rs
+++ b/src/cli/sign.rs
@@ -121,6 +121,18 @@ pub struct Command {
         help = "Sign the message using the specified key on the key store",
     )]
     pub signer_key: Vec<KeyHandle>,
+    #[clap(
+        long,
+        value_name = "FILE",
+        help = "File containing password to decrypt key",
+        long_help = "\
+File containing password to decrypt the signing key.  Note that the \
+entire key file will be used as the password, including surrounding \
+whitespace like for example a trailing newline.
+
+If multiple passwords are provided, then they are tried in turn.",
+    )]
+    pub password_file: Vec<PathBuf>,
     #[clap(
         long,
         value_names = &["NAME", "VALUE"],
diff --git a/src/commands/sign.rs b/src/commands/sign.rs
index f9c8f612..373b56a4 100644
--- a/src/commands/sign.rs
+++ b/src/commands/sign.rs
@@ -50,6 +50,14 @@ pub fn dispatch(sq: Sq, command: cli::sign::Command) -> Result<()> {
         load_certs(command.secret_key_file.iter().map(|s| s.as_ref()))?;
     let signer_keys = &command.signer_key[..];
 
+    for file in command.password_file {
+        let password = std::fs::read(&file)
+            .with_context(|| {
+                format!("Reading password from {}", file.display())
+            })?;
+        sq.cache_password(password.into());
+    }
+
     let notations = parse_notations(command.notation)?;
 
     if let Some(merge) = command.merge {