Install gpg2 and forward gpg-agent

[mzabaluev]

For signing git commits, git uses GnuPG as an external program, defaulting to gpg. That binary is provided in the container, the problem with it is, it cannot use the gpg-agent as provided by Seahorse etc. and bails out on needing to supply a passphrase without a terminal.

The gpg program name can be overridden to gpg2 in git configuration, but this binary is not present in the container. Neither, I believe, the agent socket is forwarded from the desktop.

[mzabaluev]

gpg is now an alias to gpg2 in the runtime.
There is still no way to forward gpg-agent socket from the host; the feature tracking issue is flatpak/flatpak#2301.

[teohhanhui]

Looks like the current workaround would be to add pinentry to the build, just like flathub/com.jetbrains.IntelliJ-IDEA-Community#63

Otherwise git commit would be broken when commit.gpgsign=true:

error: gpg failed to sign the data
fatal: failed to write commit object

[Mikaela]

Does this also affect signing git commits with SSH?

[alexojegu]

The issue flatpak/flatpak#2301 is closed now, and the PR flatpak/flatpak#4958 is merged.

How can I sign git commits?

[mpi3d]

I've been working on this recently. I'm now able to sign commits inside the flatpak.

First you have to allow access to the gpg-agent using Flatseal or flatpak override.
Also make sure that the gpg-agent is active.

Then there is a problem with DBUS_SESSION_BUS_ADDRESS environment variable. We need to set it to unix:path=$XDG_RUNTIME_DIR/bus but it defaults to unix:path=/run/flatpak/bus.

Unfortunately you can't use Flatseal or flatpak override to override it. But you can use this custom pinentry program:

#!/bin/sh
DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus pinentry

Don't forget to set pinentry-program in your gpg-agent.conf.

Eventally you can use flatpak run --no-session-bus com.visualstudio.code along with sharing xdg-run/bus manually with VSCode using Flatseal / flatpak override.

Finally, here is the straight forward solution:

flatpak override --user --socket=gpg-agent com.visualstudio.code
systemctl enable --user --now gpg-agent.socket
echo '#!/bin/sh
DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus pinentry' > ~/.gnupg/pinentry.sh
chmod +x ~/.gnupg/pinentry.sh
echo 'pinentry-program .gnupg/pinentry.sh' >> ~/.gnupg/gpg-agent.conf

Tested on Fedora with GNOME. Not sure for other desktop environments like KDE or XFCE, but always happy to help if needed.

[mpi3d]

Eventually, this will prevent using GPG to sign commits inside a devcontainer.

I'm working on a better fix.

[mpi3d]

Ok, so for now, the only possible solution is to use the GNOME SDK which provides a pinentry program. You also need to allow talking to org.gnome.keyring.SystemPrompter. Even though, this will only work on GNOME.
Just simply run flatpak run --runtime=org.gnome.Sdk --runtime-version=44 --talk-name=org.gnome.keyring.SystemPrompter com.visualstudio.code and it should work.
Do not forget to remove any previous fix in my comment above.

In the meantime, I've created this issue: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/issues/1621. If it's solved, I will be able to provide a much better fix.

One last solution is to build our own runtime. But it's really a last resort option as it may not be accepted as a fix. And it's also very boring to maintain.

[Victor239]

In Flatseal enabling socket=gpg-agent and installing pinentry (sudo apt install pinentry-tty) fixed the issue for me. This should be added into the build by default.

[Tealk]

On Fedoara 40 Silverblue it was sufficient to activate socket=gpg-agent

[chenxiex]

If using pinentry-gnome3 on host, enabling socket=gpg-agent doesn't work. Adding talk-name=org.gnome.keyring.SystemPrompter doesn't help either. A workaround is to manually set pinentry program to pinentry-tty on host and set GPG_TTY env in flatpak (tty inside flatpak is often different from host on my pc, I don't know why).

[chenxiex]

Signing commit in devcontainer also fails even with socket=gpg-agent.

[alexojegu]

Here is the discussion on the GnuPG lists about it:
https://lists.gnupg.org/pipermail/gnupg-users/2025-February/067509.html

@mpi3d maybe you can add this link to the issue you have opened to see if freedesktop-sdk and GnuPG can fix the problem.