diff --git a/helper/pgpkeys/flag.go b/helper/pgpkeys/flag.go
index ccfc64b80..a7371e50a 100644
--- a/helper/pgpkeys/flag.go
+++ b/helper/pgpkeys/flag.go
@@ -11,48 +11,90 @@ import (
 	"github.com/keybase/go-crypto/openpgp"
 )
 
-// PGPPubKeyFiles implements the flag.Value interface and allows
-// parsing and reading a list of pgp public key files
+// PubKeyFileFlag implements flag.Value and command.Example to receive exactly
+// one PGP or keybase key via a flag.
+type PubKeyFileFlag string
+
+func (p *PubKeyFileFlag) String() string { return string(*p) }
+
+func (p *PubKeyFileFlag) Set(val string) error {
+	if p != nil && *p != "" {
+		return errors.New("can only be specified once")
+	}
+
+	keys, err := ParsePGPKeys(strings.Split(val, ","))
+	if err != nil {
+		return err
+	}
+
+	if len(keys) > 1 {
+		return errors.New("can only specify one pgp key")
+	}
+
+	*p = PubKeyFileFlag(keys[0])
+	return nil
+}
+
+func (p *PubKeyFileFlag) Example() string { return "keybase:user" }
+
+// PGPPubKeyFiles implements the flag.Value interface and allows parsing and
+// reading a list of PGP public key files.
 type PubKeyFilesFlag []string
 
 func (p *PubKeyFilesFlag) String() string {
 	return fmt.Sprint(*p)
 }
 
-func (p *PubKeyFilesFlag) Set(value string) error {
+func (p *PubKeyFilesFlag) Set(val string) error {
 	if len(*p) > 0 {
-		return errors.New("pgp-keys can only be specified once")
+		return errors.New("can only be specified once")
 	}
 
-	splitValues := strings.Split(value, ",")
-
-	keybaseMap, err := FetchKeybasePubkeys(splitValues)
+	keys, err := ParsePGPKeys(strings.Split(val, ","))
 	if err != nil {
 		return err
 	}
 
-	// Now go through the actual flag, and substitute in resolved keybase
-	// entries where appropriate
-	for _, keyfile := range splitValues {
+	*p = PubKeyFilesFlag(keys)
+	return nil
+}
+
+func (p *PubKeyFilesFlag) Example() string { return "keybase:user1, keybase:user2, ..." }
+
+// ParsePGPKeys takes a list of PGP keys and parses them either using keybase
+// or reading them from disk and returns the "expanded" list of pgp keys in
+// the same order.
+func ParsePGPKeys(keyfiles []string) ([]string, error) {
+	keys := make([]string, len(keyfiles))
+
+	keybaseMap, err := FetchKeybasePubkeys(keyfiles)
+	if err != nil {
+		return nil, err
+	}
+
+	for i, keyfile := range keyfiles {
+		keyfile = strings.TrimSpace(keyfile)
+
 		if strings.HasPrefix(keyfile, kbPrefix) {
-			key := keybaseMap[keyfile]
-			if key == "" {
-				return fmt.Errorf("key for keybase user %s was not found in the map", strings.TrimPrefix(keyfile, kbPrefix))
+			key, ok := keybaseMap[keyfile]
+			if !ok || key == "" {
+				return nil, fmt.Errorf("keybase user %q not found", strings.TrimPrefix(keyfile, kbPrefix))
 			}
-			*p = append(*p, key)
+			keys[i] = key
 			continue
 		}
 
 		pgpStr, err := ReadPGPFile(keyfile)
 		if err != nil {
-			return err
+			return nil, err
 		}
-
-		*p = append(*p, pgpStr)
+		keys[i] = pgpStr
 	}
-	return nil
+
+	return keys, nil
 }
 
+// ReadPGPFile reads the given PGP file from disk.
 func ReadPGPFile(path string) (string, error) {
 	if path[0] == '@' {
 		path = path[1:]