diff --git a/docker-compose.yml b/docker-compose.yml
index a560efb..3e39487 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -115,6 +115,8 @@ services:
       SIGNER_WORKDIR: /srv/ca/work
       SIGNER_CA_CONFIG: /srv/caconfig
       SIGNER_BASEDIR: /srv/ca
+      SIGNER_GPG_KEYRING_DIR: /srv/ca/gpg
+      SIGNER_GPG_ID: gpg@cacert.localhost
     volumes:
       - signersockets:/srv/sockets
       - signerdata:/srv/ca
diff --git a/docker/run-signer b/docker/run-signer
index edf1ca0..9f95d85 100755
--- a/docker/run-signer
+++ b/docker/run-signer
@@ -2,10 +2,6 @@
 
 set -eu
 
-rm -f /srv/sockets/signer
-socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
-sleep 1
-
 export SERIAL_PORT=/dev/ttyUSB0
 
 mkdir -p /srv/ca/CA/certs /srv/ca/CA/private /srv/ca/CA/newcerts
@@ -16,13 +12,19 @@ if [ ! -f /srv/ca/CA/index.txt.attr ]; then cp /srv/testca/root/index.txt.attr /
 if [ ! -f /srv/ca/CA/serial ]; then echo -n '00' > /srv/ca/CA/serial; fi
 if [ ! -f /srv/ca/CA/crlnumber ]; then echo 1000 > /srv/ca/CA/crlnumber; fi
 
-mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts
+mkdir -p /srv/ca/class3/certs /srv/ca/class3/private /srv/ca/class3/newcerts /srv/ca/gpg/gpg_root_0
 cp /srv/testca/class3/ca.crt.pem /srv/ca/class3/ca.crt.pem
 cp /srv/testca/class3/private/ca.key.pem /srv/ca/class3/private/ca.key.pem
 if [ ! -f /srv/ca/class3/index.txt ]; then cp /srv/testca/class3/index.txt /srv/ca/class3/index.txt; fi
 if [ ! -f /srv/ca/class3/index.txt.attr ]; then cp /srv/testca/class3/index.txt.attr /srv/ca/class3/index.txt.attr; fi
 if [ ! -f /srv/ca/class3/serial ]; then echo -n '00' > /srv/ca/class3/serial; fi
 if [ ! -f /srv/ca/class3/crlnumber ]; then echo 1000 > /srv/ca/class3/crlnumber; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/secring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/secring.gpg; fi
+if [ ! -f /srv/ca/gpg/gpg_root_0/pubring.gpg ]; then cp /srv/testca/gpg/gpg_root_0/secring.gpg /srv/ca/gpg/gpg_root_0/pubring.gpg; fi
+
+rm -f /srv/sockets/signer
+socat -d -d PTY,link=/dev/ttyUSB0 UNIX-LISTEN:/srv/sockets/signer 2>&1 &
+sleep 1
 
 cd /srv/CommModule/
 
diff --git a/setup_test_ca.sh b/setup_test_ca.sh
index 6b9a5fc..755a415 100755
--- a/setup_test_ca.sh
+++ b/setup_test_ca.sh
@@ -9,7 +9,7 @@ COUNTRY_CODE="AU"
 if [ ! -d testca/ ]; then
   mkdir -p testca/
   cd testca
-  mkdir -p root/newcerts class3/newcerts root/private class3/private certs
+  mkdir -p root/newcerts class3/newcerts root/private class3/private certs gpg/gpg_root_0
   touch root/index.txt class3/index.txt
 else
   cd testca
@@ -223,3 +223,16 @@ if [ ! -f certs/testclient.p12 ]; then
     -in certs/testclient.crt.pem \
     -name "${CLIENT_CERT_USERNAME}"
 fi
+
+if [ ! -f gpg/gpg_root_0/secring.gpg ]; then
+  gpg --homedir testca/gpg/gpg_root_0 --generate-key --batch <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Key-Usage: cert
+Name-Real: CAcert Inc. GnuPG WoT
+Name-Email: gpg@cacert.localhost
+%no-protection"
+EOF
+  gpg --homedir testca/gpg/gpg_root_0 --export | gpg1 --homedir testca/gpg/gpg_root_0 --import
+  gpg --homedir testca/gpg/gpg_root_0 --export-secret-keys | gpg1 --homedir testca/gpg/gpg_root_0 --import
+fi
\ No newline at end of file