Get pinentry to work in a container

Sat Aug 30 22:41:19 CEST 2025

Hi! I have created a container for development purposes with
bubblewrap[1] and unshare, so far it has been working great
the only thing that isn't working is gpg signed commits with
git I have bind mounted the $GNUPGHOME into the container
and gpg can see it with gpg --list-keys. Now when I sign
commits with it I gett:
```
gpg: signing failed: Inappropriate ioctl for device
```

This was fixed by adding `export GPG_TTY=$(tty)` to
~/.bash_profile ($(tty) points to /dev/console).But now
I get:
```
localhost # git commit -s -S -a -m "test"
error: gpg failed to sign the data:
gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
[GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 59 curses 1.3.1-unknown /dev/console xterm-256color :0 20620/1000/65534 0/0 0
gpg: signing failed: Permission denied
[GNUPG:] FAILURE sign 83918849
gpg: signing failed: Permission denied

fatal: failed to write commit object
```

I don't know what its trying to access anyone with the
experties know what going wrong? I have also tried with bind
mounting /dev/console but when I do that the tty command
becomes:
```
localhost # tty
not a tty
```
And get:
```
localhost # git commit -s -S -a -m "test"
error: gpg failed to sign the data:
gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
[GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 60 curses 1.3.1-unknown not a tty xterm-256color :0 ? 0/0 0
gpg: signing failed: No such file or directory
[GNUPG:] FAILURE sign 83918929
gpg: signing failed: No such file or directory

fatal: failed to write commit object
```
I can see that the :0 is the $DISPLAY variable and after
that its showing the UIDs?

So TLDR: I can't get pinentry to work.

More info:
If I use the tty pinenctry regardless of /dev/console being
bind mounted or not I get:
```
localhost # git commit -s -S -a -m "test"
error: gpg failed to sign the data:
gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
[GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
[GNUPG:] BEGIN_SIGNING H8
[GNUPG:] PINENTRY_LAUNCHED 58 tty 1.3.1-unknown - xterm-256color :0 - 0/0 0
gpg: signing failed: Operation cancelled
[GNUPG:] FAILURE sign 83886179
gpg: signing failed: Operation cancelled

fatal: failed to write commit object
```

The host's UID is 1000 and inside the container I'm
100000(root) surely thats messing with it but I don't know
how ncurses works.

Permissions on /dev/console (that bubblwrap creates):
```
localhost # ll /dev/console 
crw--w---- 1 1000 nobody 136, 1 Aug 30 20:37 /dev/console
```
Permissions of bind mounted /dev/console:
```
 localhost # ll /dev/console 
crw--w---- 1 nobody nobody 5, 1 Aug 29 21:45 /dev/console
```
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 358 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250831/ac18c866/attachment.sig>