Verify commit signatures
For increased transparency and to help you meet your security and compliance needs, you can now view the status of commit signature verification next to a commit hash on the Commits page. You can also view the details of the keys used to sign the commits.
When the Verify commit signature hook is enabled, Bitbucket requires all pushed commits to be signed and verifies that the signatures belong to a valid and trusted key or certificate.
We support the following keys for signing commits:
- GPG keys
- X.509 (S/MIME) certificates
- SSH keys
To check if a commit has been signed and verified, open the commit details page or the pull request commits tab.
Next to commit hashes, you’ll find the following indicators:
The Verified icon means that a trusted author has signed the commit and the signature has been verified. Select the Verified icon to check the details of the key used to sign the commit. For example, this can be a GPG key, an SSH key, or an X.509 certificate with an X.509 issuer certificate.
- The Not verified icon means that the commit has been signed but the signature can’t be verified. This can happen when the Verify commit signature hook was disabled and:
The key used to sign the commit hasn’t been uploaded to a Bitbucket user account.
The key used to sign the commit is either not supported or invalid.
If you open the commit details, you’ll also find the information about signature verification.
When you open the pull request commits tab, the view will be the following:
When you open the pull request builds tab, the view will be the following:
A commit can have no Verified or Not verified status when:
The commit was created before you upgraded to Bibucket 8.13.
The commit hasn’t been signed.
The commit has been made through the Bitbucket web interface (a reviewer’s suggestion, a pull request merge, etc.) that’s why the commit couldn’t be signed.
Commits are batched for verification and the signature verification status may not be immediately visible on the Commits page.