Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12362

Provide option to automatically use GPG to sign commits you make using the web interface


    • 25
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      The current design doesn't require verification from GPG for commits or merge commit done from the web interface.

      Use Case Scenario

      Let us describe how we want to use git:

      All developers should sign their commits. This is enforced by having the Bitbucket server reject pushes that are not signed. The local git config at the developer's machine is set up to always sign. All good so far.

      Signing is however not as useful if the signatures are not verified by the developers pulling from the server.

      Therefore, the developers have set up their local git config to verify signatures (for instance by git config --global merge.verifySignatures true). Any commits made by someone not trusted on their local GPG chain are rejected.

      The problem is that if Bitbucket merges a pull request and does not sign the resulting commit, the developers will have to ignore the signing.

      Since it is annoying to get an error each time one merges the master branch from the server, it is easy to just turn off local verification.

      A better option is if the commits are signed with a server key instead.

      This means one can use a sane default (verify signatures) locally and not having to be annoyed at each merge.

            spetrucev Stefan
            mmarini@atlassian.com Marini Marini (Inactive)
            31 Vote for this issue
            24 Start watching this issue