diff --git a/sm/ChangeLog b/sm/ChangeLog
index 609939601..586a8882a 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,8 @@
+2006-10-17  Werner Koch  <wk@g10code.com>
+
+	* sign.c (gpgsm_get_default_cert): Changed to return only
+	certificates usable for signing.
+
 2006-10-16  Werner Koch  <wk@g10code.com>
 
 	* certchain.c (already_asked_marktrusted) 
diff --git a/sm/sign.c b/sm/sign.c
index ae602be24..e30287348 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -124,8 +124,8 @@ hash_and_copy_data (int fd, gcry_md_hd_t md, ksba_writer_t writer)
 }
 
 
-/* Get the default certificate which is defined as the first one our
-   keyDB returns and has a secret key available. */
+/* Get the default certificate which is defined as the first cabable
+   of signing our keyDB returns and has a secret key available. */
 int
 gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert)
 {
@@ -153,20 +153,23 @@ gpgsm_get_default_cert (ctrl_t ctrl, ksba_cert_t *r_cert)
           keydb_release (hd);
           return rc;
         }
-      
-      p = gpgsm_get_keygrip_hexstring (cert);
-      if (p)
+
+      if (!gpgsm_cert_use_sign_p (cert))
         {
-          if (!gpgsm_agent_havekey (ctrl, p))
+          p = gpgsm_get_keygrip_hexstring (cert);
+          if (p)
             {
+              if (!gpgsm_agent_havekey (ctrl, p))
+                {
+                  xfree (p);
+                  keydb_release (hd);
+                  *r_cert = cert;
+                  return 0; /* got it */
+                }
               xfree (p);
-              keydb_release (hd);
-              *r_cert = cert;
-              return 0; /* got it */
             }
-          xfree (p);
         }
-    
+
       ksba_cert_release (cert); 
       cert = NULL;
     }