Docker BuildKit experimental features failing with GPG secret key error during image resolution

Ryan_Nebula · June 24, 2025, 10:59am

I’m trying to use Docker BuildKit’s experimental cache mount feature but keep running into authentication issues. Here’s my setup:

My Dockerfile:

# syntax=docker/dockerfile:experimental
FROM ubuntu:20.04

# Configure apt caching
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
RUN --mount=type=cache,target=/var/cache/apt --mount=type=cache,target=/var/lib/apt apt update && apt install -y build-essential

Current password store setup:

user@machine $ pass show
Password Store
`-- docker-credentials
    |-- registry.docker.io
    |   `-- myusername
    `-- docker-initialized

I’ve configured docker-credential-pass properly and can login to Docker Hub without issues. However, when building with BuildKit enabled, I get this error:

DOCKER_BUILDKIT=1 docker build -t myapp:latest .
[+] Building 0.3s (3/3) FINISHED
 => [internal] load build definition from Dockerfile 0.1s
 => [internal] load .dockerignore 0.1s
 => ERROR resolve image config for docker.io/docker/dockerfile:experimental 0.2s
------
 > resolve image config for docker.io/docker/dockerfile:experimental:
------
failed to solve with frontend dockerfile.v0: rpc error: code = Unknown desc = error getting credentials - err: exit status 1, out: `exit status 2: gpg: decryption failed: No secret key`

What could be causing this GPG decryption failure? Is there something specific about BuildKit that requires different credential handling?

Iris72 · July 7, 2025, 2:35pm

Yeah, this is a common docker-credential-pass issue when BuildKit runs in rootless mode or containers. The GPG agent in your user session can’t be reached by the BuildKit daemon process. I hit this same problem when I switched to BuildKit - setting DOCKER_BUILDKIT=0 confirmed it was BuildKit-specific. What worked for me was switching to docker-credential-store instead, which skips GPG completely. Or you can fix the GPG agent by adding allow-loopback-pinentry to your gpg-agent.conf and making sure GPG_TTY is set properly in the BuildKit context.

TalentedSculptor23 · July 5, 2025, 3:55pm

Hmm, that’s interesting… Are you running this in a different user context? BuildKit spawns processes differently than regular Docker builds. What does gpg --list-secret-keys show when you run it normally vs during the build? Also - does it work if you temporarily switch back to the legacy builder?

Liam27 · July 4, 2025, 8:01am

Had the same problem last week. BuildKit daemon runs in its own environment and can’t reach your GPG keys. Quick fix: use docker login instead of credential helpers - stores creds in plaintext but bypasses the GPG issue. Or try setting the GNUPGHOME environment variable when you run the build command.