Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-2717

Provide the ability to require and validate signed commits and commit tags



    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      Atlassian status as of December 2016

      Hi everyone,

      Thanks to everyone for voting and commenting on this suggestion. Your input in the comments helps us understand how this affects you and what you're hoping to accomplish with Bitbucket Server.

      This suggestion is currently under consideration by the Bitbucket development team, however we're not able to provide a timeline for when it will be resolved. Learn more about our process here.


      Norman Ma

      Product Manager - Bitbucket Server

      With Git, users simply "declare" their identity within the configuration of the Git client, which ends up being recorded as the "author" when commits are made against a repository. However, when pushing to a repository hosted within Stash, the identity used to authenticate to the repository may be different then that identity that was recorded when the commits were made.

      Furthermore, there is no reliable way to verify or be reasonably certain that commit X was actually performed by user Y. The user could simply have declared their identity to be something false. The lack of a reliable audit trail of changes is a significant issue, particularly for corporations.

      One solution to this issue is to require users to perform signed commits (or in the case of pull requests, only allow pull requests against a signed commit tag). The ability is needed to configure a repository to only allow commits that have been signed and verify that the signature is both valid and trusted. At present, this seems to be the only way to establish a reliable audit trail within Git.

      Some sources for details:


        Issue Links



              mheemskerk Michael Heemskerk (Inactive)
              3dc7cad321a1 Chris Feldhacker
              81 Vote for this issue
              64 Start watching this issue