Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-2717

Provide the ability to require and validate signed commits and commit tags

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Atlassian status as of December 2016

      Hi everyone,

      Thanks to everyone for voting and commenting on this suggestion. Your input in the comments helps us understand how this affects you and what you're hoping to accomplish with Bitbucket Server.

      This suggestion is currently under consideration by the Bitbucket development team, however we're not able to provide a timeline for when it will be resolved. Learn more about our process here.

      Regards,

      Norman Ma

      Product Manager - Bitbucket Server

      Briefly:
      With Git, users simply "declare" their identity within the configuration of the Git client, which ends up being recorded as the "author" when commits are made against a repository. However, when pushing to a repository hosted within Stash, the identity used to authenticate to the repository may be different then that identity that was recorded when the commits were made.

      Furthermore, there is no reliable way to verify or be reasonably certain that commit X was actually performed by user Y. The user could simply have declared their identity to be something false. The lack of a reliable audit trail of changes is a significant issue, particularly for corporations.

      One solution to this issue is to require users to perform signed commits (or in the case of pull requests, only allow pull requests against a signed commit tag). The ability is needed to configure a repository to only allow commits that have been signed and verify that the signature is both valid and trusted. At present, this seems to be the only way to establish a reliable audit trail within Git.

      Some sources for details:
      http://git-scm.com/book/en/Git-Basics-Tagging
      http://mikegerwitz.com/docs/git-horror-story.html
      http://git-blame.blogspot.com/2012/01/using-signed-tag-in-pull-requests.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mheemskerk Michael Heemskerk
              Reporter:
              feldhacker Chris Feldhacker
              Votes:
              81 Vote for this issue
              Watchers:
              65 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Backbone Issue Sync

                  • Backbone Issue Sync is enabled for your project, but there is no synchronization info for this issue.