When setting up Jenkins to sign a build product using GnuPG the signing operation might stall, since pinentry-mac can't retrieve the private key passphrase from macOS Keychain Access. The only way to fix this so far, was to login to the signing user account and run the command manually in Terminal once, so the macOS Keychain Access password prompt is displayed and one can choose to never ask again and have the pinentry-mac.app application added to the list where no user password is required to retrieve the passphrase. This is very cumbersome if the server taking care of the signing is only accessible via SSH.
What's even stranger is, that trying to add the keychain item manually using, which should grant access to the item without asking for the user's password via UI:
security add-generic-password -a "<fingerprint>" -l "<somelabel>" -s "GnuPG" -T "/usr/local/MacGPG2/libexec/pinentry-mac.app" -w "passphrase" <keychain>