As part of our ongoing efforts to strengthen security, we are excited to announce that signed commits are now available in Bitbucket Cloud. Signed commits provide an essential layer of protection, allowing developers to verify the authenticity of their contributions using GPG keys.
If you’re on the Premium plan, you can also enforce that all commits to your repositories are signed for authenticity. This option ensures every contribution is authenticated, reducing risks like unauthorized changes or unverified code being introduced to your code base. In today’s fast-paced development environment, unsigned commits create vulnerabilities that can compromise repository integrity. Enforcing signed commits eliminates these risks, providing teams with a secure, reliable, and compliant foundation to build on.
How it works
Here’s a quick overview of how to enable and use signed commits:
As a developer, you will need to configure your GPG keys within your Personal Bitbucket settings. Add the GPG key associated with your Bitbucket Cloud account email so you can sign your commits with your key.
After setting up the GPG key, commits must be signed using the configured key. Bitbucket will validate the signature against the public key and display a ‘Verified’ card for successfully authenticated commits.
For detailed steps on configuring GPG keys and understanding commit validation statuses, check out our help documentation.
Note: Currently, some workflows, such as specific merges or commits made through the Bitbucket UI, are not supported. We’re actively working on addressing these cases in a future release.
Enforcing signed commits across your repository
You need to be a repository admin to be able to enforce signed commits.
Select Repository settings on the left sidebar. Then, select Repository details, select the Advanced dropdown below the Repository details, and select the Require all commits to have a verified signature checkbox under Signed commits
Benefits of enforced signed commits
We know how important repository integrity is, especially in organizations with strict security and compliance requirements. Enforcing signed commits provides:
- Increased control: Apply consistent security policies across your repositories to meet organizational standards.
- Stronger security: Prevent unauthorized changes by ensuring every commit is verified.
- Better traceability: Know exactly who made changes to your codebase and ensure all contributions are authentic.
Want to ensure every commit to your repositories is signed? Consider upgrading to the Premium plan to access this and other premium features.
What’s next?
We’ll continue to add new capabilities, such as support for signing commits with SSH keys and introducing system-signed commits. These improvements will help address specific use cases, like merges and commits made through the Bitbucket UI. Stay tuned for more updates!