diff --git a/contrib/sign.sh b/contrib/sign.sh
index 0923b2dc..ea9405a9 100755
--- a/contrib/sign.sh
+++ b/contrib/sign.sh
@@ -2,17 +2,19 @@
 
 set -e
 
-if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
+if [ $# -eq 0 -o $# -gt 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o \( $# -eq 2 -a ! -r "$2" \) ]; then
 	cat <<EOHELP
-Usage: $0 <secret> <manifest>
+Usage: $0 [<secret>] <manifest>
 
 sign.sh adds lines to a manifest to indicate the approval
 of the integrity of the firmware as required for automated
-updates. The first argument <secret> references a file harboring
-the private key of a public-private key pair of a developer
-that referenced by its public key in the site configuration.
-The script may be performed multiple times to the same document
-to indicate an approval by multiple developers.
+updates. The first optional argument <secret> references a
+file harboring the private key of a public-private key pair
+of a developer that referenced by its public key in the site
+configuration. If this parameter is missing, you will be
+asked to type in secret key. The script may be performed
+multiple times to the same document to indicate an approval
+by multiple developers.
 
 See also
  * edcsautils on https://github.com/tcatm/ecdsautils
@@ -21,9 +23,17 @@ EOHELP
 	exit 1
 fi
 
-SECRET="$1"
+if [ $# -eq 1 ]; then
+	stty -echo
+	read -p "Type in secret key: " secret
+	stty echo
+	echo
+	manifest="$1"
+else
+	secret="$1"
+	manifest="$2"
+fi
 
-manifest="$2"
 upper="$(mktemp)"
 lower="$(mktemp)"
 
@@ -35,7 +45,11 @@ awk 'BEGIN    { sep=0 }
                 else       print > "'"$lower"'"}' \
     "$manifest"
 
-ecdsasign "$upper" < "$SECRET" >> "$lower"
+if [ $# -eq 1 ]; then
+	echo "$secret" | ecdsasign "$upper" >> "$lower"
+else
+	ecdsasign "$upper" < "$secret" >> "$lower"
+fi
 
 (
 	cat  "$upper"