Check for and display a 'verified' icon or something as well.

      Update from Bitbucket Cloud PM on 6 March:

      We just launched support for signed commits using SSH keys so users can now sign commits using both GPG and SSH keys. 

      Update on December 12:

      This release did not include the ability to retroactively identify/link old commits. That is instead being tracked in the request BCLOUD-23508

       

          Form Name

            [BCLOUD-3166] Support signed commits for Git (BB-319)

            Erik added a comment -

            Thank you 1c505570e116 and all of the team that completed this functionality including SSH key support ❤️

            Erik added a comment - Thank you 1c505570e116 and all of the team that completed this functionality including SSH key support ❤️

            Robbie g8sy Gates added a comment -

            1c505570e116  Quick question about the March 6th update to include SSH keys (thank you!!) - the edited deleted the text "and system signed".

            I am interested in system signed commits - by "system signed" i'm imaging that the repo can use it's pipelines ssh keys to sign commits that it makes? Is this the current state of this:

            1. It already just works - any git commit made by pipelines with the system keys configured for push will sign commits using these keys. This would be :amaze: :magic: (but i think its hard because my setup has a few more layers that i suspect need special treatment).
            2. As already supported as it needs to be, because a build running in pipelines has access to the keys, and i just need to configue my git to sign using these keys (which is is already using to other repos for example). I can probably figure this out if so, but a pointer to documentation specific to Bitbucket (i know how to configure git to sign commits) might be handy if it exists.
            3. Planned to get additional support so that something just works out of the box when using bitbuckets documented support for pushing back to the host repository - i.e. SSH Key pair managed by Bitbucket Pipelines section of https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/ (yes i know the signing happens at commit not push, but it feels like you want the push because you made the commit, so maybe there's some "works out of the box" here). I.e. this is "we want (1) but its not done yet".
            4. Split into another issue (since i gather that it's not part of this issue any more based on this deletion and the fact this issue is closed),  
              in which case can you link the issue for supporting system signed commits
            5. Not supported, and no work currently planned / moved to gathering interest (in which latter case i'd like an issue so it can gather my interest )
            6. Not supported and planned to be not implemented (in which case i can roll my own completely i guess, but i'd also be interested in the reasoning here).

            My guess is (2) - but i thought i'd check before diving in - if so, a quick ack of this would be appreciated.

            Robbie g8sy Gates added a comment - 1c505570e116  Quick question about the March 6th update to include SSH keys (thank you!!) - the edited deleted the text " and system signed ". I am interested in system signed commits - by "system signed" i'm imaging that the repo can use it's pipelines ssh keys to sign commits that it makes? Is this the current state of this: It already just works - any git commit made by pipelines with the system keys configured for push will sign commits using these keys. This would be :amaze: :magic: (but i think its hard because my setup has a few more layers that i suspect need special treatment). As already supported as it needs to be, because a build running in pipelines has access to the keys, and i just need to configue my git to sign using these keys (which is is already using to other repos for example). I can probably figure this out if so, but a pointer to documentation specific to Bitbucket (i know how to configure git to sign commits) might be handy if it exists. Planned to get additional support so that something just works out of the box when using bitbuckets documented support for pushing back to the host repository - i.e. SSH Key pair managed by Bitbucket Pipelines section of https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/ (yes i know the signing happens at commit not push, but it feels like you want the push because you made the commit, so maybe there's some "works out of the box" here). I.e. this is "we want (1) but its not done yet". Split into another issue (since i gather that it's not part of this issue any more based on this deletion and the fact this issue is closed),   in which case can you link the issue for supporting system signed commits Not supported, and no work currently planned / moved to gathering interest (in which latter case i'd like an issue so it can gather my interest ) Not supported and planned to be not implemented (in which case i can roll my own completely i guess, but i'd also be interested in the reasoning here). My guess is (2) - but i thought i'd check before diving in - if so, a quick ack of this would be appreciated.

            Gayatri Ramesh added a comment -

            Launch support for signing commits with both SSH and GPG keys.

            Gayatri Ramesh added a comment - Launch support for signing commits with both SSH and GPG keys.

            Erik added a comment - - edited

            Is there any news on Signed Commits Using SSH Keys? I'm a bit afraid this items is going to get closed without taking this into account. I do want to remind that in the past, signing commits with SSH keys was a thing that was supported.

            Erik added a comment - - edited Is there any news on Signed Commits Using SSH Keys ? I'm a bit afraid this items is going to get closed without taking this into account. I do want to remind that in the past, signing commits with SSH keys was a thing that was supported .

            Jan Bauer added a comment -

            Great that this works now! It took only 13 years to implement commit verification...

            Jan Bauer added a comment - Great that this works now! It took only 13 years to implement commit verification...

            Stefan C. added a comment -

            Stefan C. added a comment - Above link ( https://www.atlassian.com/blog/bitbucket/strengthen-code-security-with-signed-commits ) is a 404.  

            Is there a timeline for verification against ssh keys? This should be the first choice because the most devs should have them in place.

            Andre Schlegel-Tylla added a comment - Is there a timeline for verification against ssh keys? This should be the first choice because the most devs should have them in place.

            Patrick Nelson added a comment - - edited

            I'm having the same issue as 811c97c268d7. Prior GPG signed commits with the same pub key are still showing as "unverified" but new commits (with no other change except adding the public key to my account) are showing up as verified. Since of course we're no longer allowed to create tickets anymore, can someone at Atlassian track this for us and let us know here, please? Thanks.

            Edit: miwalker added this for me here: https://jira.atlassian.com/browse/BCLOUD-23508

            Patrick Nelson added a comment - - edited I'm having the same issue as 811c97c268d7 . Prior GPG signed commits with the same pub key are still showing as "unverified" but new commits (with no other change except adding the public key to my account) are showing up as verified. Since of course we're no longer allowed to create tickets anymore, can someone at Atlassian track this for us and let us know here, please? Thanks. Edit: miwalker added this for me here: https://jira.atlassian.com/browse/BCLOUD-23508

            Existing signed commits don't show up as being signed (let alone verified), will the signing status of these commits be refreshed at some point?

            Onno Molenkamp added a comment - Existing signed commits don't show up as being signed (let alone verified), will the signing status of these commits be refreshed at some point?

            Arshath H added a comment -

            If signing commits with SSH won't be supported soon, the unverified label should not be shown if the commit is signed with SSH, as it is misleading.

            Arshath H added a comment - If signing commits with SSH won't be supported soon, the unverified label should not be shown if the commit is signed with SSH, as it is misleading.

              1c505570e116 Gayatri Ramesh
              487a7d97-59d5-4052-add4-6ee51b4cdb9f Deleted Account (Inactive)
              Votes:
              939 Vote for this issue
              Watchers:
              382 Start watching this issue

                Created:
                Updated:
                Resolved: