Forward GPG from host to docker container

(I have this mostly working with one small problem)

I am using Docker to setup a work environment that still has access to some parts of my host system. I use pass (which uses GPG) to store various tokens, passwords, etc. I am trying to gain access to my host’s password store inside the docker container.

My docker run command looks like the following:

docker run -it --rm \
  -v "${HOME}/.gnupg/pubring.kbx:/home/me/.gnupg/pubring.kbx:ro" \
  -v "${HOME}/.gnupg/S.gpg-agent:/home/me/.gnupg/S.gpg-agent:ro" \
  -v "${HOME}/.password-store:/home/me/.password-store:ro" \
  -v "${HOME}/work:/home/me/work" \
  work_container:latest
# The gpg socket being read-only or not seems to not make a difference

With this setup, I can use pass from inside the docker container as if I were running pass on the host–just one problem. My GPG private key has a password on it. For everything to work, I have to enter the password on my host (by running pass show token for example) to put GPG on the passphrase timeout. Only then can I use pass within the container freely.

Ideally, I want GPG to prompt me for my private key’s password from inside the container whenever it needs to, as it would normally. So,
from: run pass in container → fail → run pass on host to trigger prompt → password prompt → run pass in container → success
to: run pass in container → password prompt → success

If I haven’t put GPG on passphrase timeout, it reports back the following error:

$ pass show token     # in container
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: decryption failed: No secret key

For reference, the Dockerfile I’m building looks essentially like the following:

FROM alpine:latest

ARG USERNAME=me

WORKDIR "/home/${USERNAME}"
COPY dotfiles "/home/${USERNAME}/dotfiles"

RUN apk update \
    && apk add git tmux bash fzf exa \
    openssh curl sudo pass \
    neovim go perl \
    terraform ansible \
  ;

# Add user with no password and sudo-no-password permissions on all commands
# `adduser -s /bin/bash` seems to do nothing
RUN adduser -D -s /bin/bash "${USERNAME}" \
    && addgroup "${USERNAME}" wheel \
    && printf %s\\n "%wheel ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers \
    && passwd -d "${USERNAME}"

# Not sure this line does anything meaningful
USER ${USERNAME}

# Set permissions so GPG doesn't complain
RUN mkdir -p .gnupg \
    && chown -R ${USERNAME} .gnupg \
    && chmod 700 .gnupg

# go version must >= 1.17, otherwise `lf` install is different
RUN . .profile; \
    env CGO_ENABLED=0 go install -ldflags="-s -w" github.com/gokcehan/[email protected]

CMD ["/bin/bash"]

have you tried to pass /usr/bin/gpg-agent as a volume to the container as well?

I just tried it, and it doesn’t help.