Skip to content

Instantly share code, notes, and snippets.

@wmudge

wmudge/README.md

Forked from mrgrain/pinentry-1password.sh
Last active March 2, 2026 17:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save wmudge/422660bcb3dbd767ad4219a5d471ea38 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save wmudge/422660bcb3dbd767ad4219a5d471ea38 to your computer and use it in GitHub Desktop.
Download ZIP
1Password CLI pinentry for gpg-agent
Raw
README.md

GPG-to-1Password

Connect your gpg-agent to 1Password so you can unlock your GPG key from the password manager.

Prerequisites

  • 1Password CLI
  • GnuPG

Instructions

First, copy the pinentry-1password.sh script to a suitable location and set it as executable, i.e. chmod +x pinentry-1password.sh.

Then to your ~/.gnupg/gpg-agent.conf file, add (or update) the following entry:

pinentry-program <path to the pinentry-1password.sh script>

Then set the following two environment variables:

export OP_GPG_ENTRY=""
export OP_GPG_VAULT=""

Optionally set the following if the field on the 1Password entry is not password:

export OP_GPG_FIELD=""

Finally, kill and restart your gpg-agent:

gpg-connect-agent killagent /bye; gpg-connect-agent updatestartuptty /bye

GPG Key in 1Password

You can get the values for these variables from the "private link" option within the 1Password desktop application for the selected entry. For example:

https://start.1password.com/open/i?a=<your account ID>&v=<your vault ID>&i=<your entry ID>&h=my.1password.com

I have had success using the API Credential type; I can use the credential field for the password and use the expires field for notification of expiring keys. Moreover, I add my public and private GPG keys as files.

Credits

I stumbled upon mrgrain's original gist, and boom, we were off to the races! This is a slightly modified version of that script.

Raw
pinentry-1password.sh
#!/bin/bash
# Connect your gpg-agent to 1Password so you can unlock your GPG key from the password manager.
#
# First, copy this file to a suitable location. Then in your ~/.gnupg/gpg-agent.conf file, add
# (or update) the following entry:
#
# pinentry-program <path to the pinentry-1password.sh script>
#
# Then set the following two environment variables:
#
# export OP_GPG_ENTRY=""
# export OP_GPG_VAULT=""
#
# Optionally set the following if the field on the 1Password entry is not 'password':
#
# export OP_GPG_FIELD=""
#
# Finally, kill and restart your gpg-agent:
#
# gpg-connect-agent killagent /bye; gpg-connect-agent updatestartuptty /bye
#
# You can get the values for these variables from the "private link" option within the 1Password desktop
# application for the selected entry. For example:
#
# https://start.1password.com/open/i?a=<your account ID>&v=<your vault ID>&i=<your entry ID>&h=my.1password.com
#
# I have had success using the API Credential type because of the 'expires' field. Moreover, you can then add
# the public and private GPG keys.
#
# Derived from https://gist.github.com/mrgrain/9c3519952d9af811bd7bf50bfcfaa16f with only minor adjustments!
COMMAND="op read op://$OP_GPG_VAULT/$OP_GPG_ENTRY/${OP_GPG_FIELD:-password}"
#LOG="${HOME}/.pinentry-1password.log"
LOG=/dev/null
echo "----- $(date)" >> $LOG
echo "OK"
while read cmd val; do
echo "$cmd $val" >> $LOG
case "$cmd" in
\#*)
;;
GETPIN)
echo "==> D $COMMAND" >> $LOG
echo "D $($COMMAND)"
;;
SETERROR)
echo "ERR 31 Invalid passphrase"
;;
BYE)
exit 0
;;
*)
;;
esac
echo "OK"
done
@akostadinov
Copy link

akostadinov commented Nov 14, 2025
edited
Loading

copilot said that response needs to be percent encoded, just FYI
e.g. sed -e 's/%/%25/g'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment