gpg-setup.sh makes 1Password the home and the live unlock agent for your GPG key. Run it once and the manual fiddling goes away:
- It generates a new GPG key whose passphrase is a 64-character secret that 1Password creates β you never see it or type it.
- It stores the public key, private key, and revocation certificate as documents in your 1Password vault, so a fresh machine is one download and
gpg --importaway. - It rewires
gpg-agentso that every operation that needs your private key β signing and decryption β pulls the passphrase straight from 1Password through a small pinentry wrapper. Nothing to memorize, no passphrase on disk. - It sets 1Password's own expiry date to match the key's, so the item itself shows when the key is due for rotation.
After it runs, GPG just works: while 1Password is unlocked, signing and decryption succeed silently; when it's locked, you approve the 1Password CLI prompt once. There's nothing else to remember.