Verify commit signatures

For increased transparency and to help you meet your security and compliance needs, you can now view the status of commit signature verification next to a commit hash on the Commits page. You can also view the details of the keys used to sign the commits.

When the Verify commit signature hook is enabled, Bitbucket requires all pushed commits to be signed and verifies that the signatures belong to a valid and trusted key or certificate.

We support the following keys for signing commits: 

  • GPG keys
  • X.509 (S/MIME) certificates
  • SSH keys

To check if a commit has been signed and verified, open the commit details page or the pull request commits tab.

Next to commit hashes, you’ll find the following indicators:

  • The Verified icon Commit signature verified means that a trusted author has signed the commit and the signature has been verified. Select the Verified icon to check the details of the key used to sign the commit. For example, this can be a GPG key, an SSH key, or an X.509 certificate with an X.509 issuer certificate.

  • The Not verified icon Commit signature not verified means that the commit has been signed but the signature can’t be verified. This can happen when the Verify commit signature hook was disabled and:
    • The key used to sign the commit hasn’t been uploaded to a Bitbucket user account.

    • The key used to sign the commit is either not supported or invalid.

Updated Commits page

If you open the commit details, you’ll also find the information about signature verification.

Signature verification in commit details

When you open the pull request commits tab, the view will be the following:

Pull request commits tab view

When you open the pull request builds tab, the view will be the following:

Pull request builds tab view

A commit can have no Verified or Not verified status when:

  • The commit was created before you upgraded to Bibucket 8.13.

  • The commit hasn’t been signed.

  • The commit has been made through the Bitbucket web interface (a reviewer’s suggestion, a pull request merge, etc.) that’s why the commit couldn’t be signed.

Commits are batched for verification and the signature verification status may not be immediately visible on the Commits page.

Last modified on Oct 19, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.