diff --git a/src/adb.c b/src/adb.c
index e89dc3f..47ed368 100644
--- a/src/adb.c
+++ b/src/adb.c
@@ -1180,7 +1180,7 @@ int adb_trust_write_signatures(struct apk_trust *trust, struct adb *db, struct a
 		struct adb_sign_v0 v0;
 		unsigned char buf[ADB_MAX_SIGNATURE_LEN];
 	} sig;
-	struct apk_trust_key *tkey;
+	struct apk_trust_secret_key *tkey;
 	apk_blob_t md;
 	size_t siglen;
 	int r;
diff --git a/src/apk_trust.h b/src/apk_trust.h
index 409ab0b..0b87566 100644
--- a/src/apk_trust.h
+++ b/src/apk_trust.h
@@ -18,7 +18,7 @@ struct apk_trust_key {
 	char *filename;
 };
 
-struct apk_trust_secret {
+struct apk_trust_secret_key {
 	struct list_head key_node;
 	struct apk_secret_key key;
 	char *filename;
diff --git a/src/trust.c b/src/trust.c
index 7934497..6c7d661 100644
--- a/src/trust.c
+++ b/src/trust.c
@@ -21,6 +21,25 @@ static struct apk_trust_key *apk_trust_load_public(int dirfd, const char *filena
 	return key;
 }
 
+static struct apk_trust_secret_key *apk_trust_load_secret(int dirfd, const char *filename)
+{
+	struct apk_trust_secret_key *key;
+	int r;
+
+	key = calloc(1, sizeof *key);
+	if (!key) return ERR_PTR(-ENOMEM);
+
+	r = apk_secret_key_load(&key->key, dirfd, filename);
+	if (r != 0) {
+		free(key);
+		return ERR_PTR(r);
+	}
+
+	list_init(&key->key_node);
+	key->filename = strdup(filename);
+	return key;
+}
+
 static int __apk_trust_load_pubkey(void *pctx, int dirfd, const char *filename)
 {
 	struct apk_trust *trust = pctx;
@@ -93,11 +112,11 @@ static int option_parse_signing(void *ctx, struct apk_ctx *ac, int optch, const
 {
 	struct apk_trust *trust = &ac->trust;
 	struct apk_out *out = &ac->out;
-	struct apk_trust_key *key;
+	struct apk_trust_secret_key *key;
 
 	switch (optch) {
 	case OPT_SIGN_sign_key:
-		key = apk_trust_load_public(AT_FDCWD, optarg);
+		key = apk_trust_load_secret(AT_FDCWD, optarg);
 		if (IS_ERR(key)) {
 			apk_err(out, "Failed to load signing key: %s: %s",
 				optarg, apk_error_str(PTR_ERR(key)));