Get pinentry to work in a container

Sun Aug 31 00:40:08 CEST 2025

On Sun, 2025-08-31 at 03:27 +0500, zyxhere💭 via Gnupg-users wrote:
> On Sun, 2025-08-31 at 01:41 +0500, zyxhere💭 via Gnupg-users wrote:
> > Hi! I have created a container for development purposes with
> > bubblewrap[1] and unshare, so far it has been working great
> > the only thing that isn't working is gpg signed commits with
> > git I have bind mounted the $GNUPGHOME into the container
> > and gpg can see it with gpg --list-keys. Now when I sign
> > commits with it I gett:
> > ```
> > gpg: signing failed: Inappropriate ioctl for device
> > ```
> > 
> > This was fixed by adding `export GPG_TTY=$(tty)` to
> > ~/.bash_profile ($(tty) points to /dev/console).But now
> > I get:
> > ```
> > localhost # git commit -s -S -a -m "test"
> > error: gpg failed to sign the data:
> > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
> > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
> > [GNUPG:] BEGIN_SIGNING H8
> > [GNUPG:] PINENTRY_LAUNCHED 59 curses 1.3.1-unknown /dev/console xterm-256color :0 20620/1000/65534 0/0 0
> > gpg: signing failed: Permission denied
> > [GNUPG:] FAILURE sign 83918849
> > gpg: signing failed: Permission denied
> > 
> > fatal: failed to write commit object
> > ```
> > 
> > I don't know what its trying to access anyone with the
> > experties know what going wrong? I have also tried with bind
> > mounting /dev/console but when I do that the tty command
> > becomes:
> > ```
> > localhost # tty
> > not a tty
> > ```
> > And get:
> > ```
> > localhost # git commit -s -S -a -m "test"
> > error: gpg failed to sign the data:
> > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
> > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
> > [GNUPG:] BEGIN_SIGNING H8
> > [GNUPG:] PINENTRY_LAUNCHED 60 curses 1.3.1-unknown not a tty xterm-256color :0 ? 0/0 0
> > gpg: signing failed: No such file or directory
> > [GNUPG:] FAILURE sign 83918929
> > gpg: signing failed: No such file or directory
> > 
> > fatal: failed to write commit object
> > ```
> > I can see that the :0 is the $DISPLAY variable and after
> > that its showing the UIDs?
> > 
> > So TLDR: I can't get pinentry to work.
> > 
> > More info:
> > If I use the tty pinenctry regardless of /dev/console being
> > bind mounted or not I get:
> > ```
> > localhost # git commit -s -S -a -m "test"
> > error: gpg failed to sign the data:
> > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg'
> > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2
> > [GNUPG:] BEGIN_SIGNING H8
> > [GNUPG:] PINENTRY_LAUNCHED 58 tty 1.3.1-unknown - xterm-256color :0 - 0/0 0
> > gpg: signing failed: Operation cancelled
> > [GNUPG:] FAILURE sign 83886179
> > gpg: signing failed: Operation cancelled
> > 
> > fatal: failed to write commit object
> > ```
> > 
> > The host's UID is 1000 and inside the container I'm
> > 100000(root) surely thats messing with it but I don't know
> > how ncurses works.
> > 
> > Permissions on /dev/console (that bubblwrap creates):
> > ```
> > localhost # ll /dev/console 
> > crw--w---- 1 1000 nobody 136, 1 Aug 30 20:37 /dev/console
> > ```
> > Permissions of bind mounted /dev/console:
> > ```
> >  localhost # ll /dev/console 
> > crw--w---- 1 nobody nobody 5, 1 Aug 29 21:45 /dev/console
> > ```
> Nevermind I was able to get it to work via https://ao.bloat.cat/exchange/stackoverflow.com/questions/51504367/gpg-agent-forwarding-inappropriate-ioctl-for-device#59170001
> Need to add
> ```
> use-agent 
> pinentry-mode loopback
> ```
> to gpg.conf and
> ```
> allow-loopback-pinentry
> ```
> to gpg-agent.conf
> 
> Sorry for the noise!

I hope there isn't anything wrong with using stdin for the password! (Not
surer why its disabled by default). So if there is a way to keep using the
ncurses prompt I would really appreciate it!