-
Suggestion
-
Resolution: Fixed
Hi everyone,
Thanks to everyone for voting and commenting on this suggestion. Your input in the comments helps us understand how this affects you and what you're hoping to accomplish with Bitbucket Server.
This suggestion is currently under consideration by the Bitbucket development team, however we're not able to provide a timeline for when it will be resolved. Learn more about our process here.
Regards,
Norman Ma
Product Manager - Bitbucket Server
Briefly:
With Git, users simply "declare" their identity within the configuration of the Git client, which ends up being recorded as the "author" when commits are made against a repository. However, when pushing to a repository hosted within Stash, the identity used to authenticate to the repository may be different then that identity that was recorded when the commits were made.
Furthermore, there is no reliable way to verify or be reasonably certain that commit X was actually performed by user Y. The user could simply have declared their identity to be something false. The lack of a reliable audit trail of changes is a significant issue, particularly for corporations.
One solution to this issue is to require users to perform signed commits (or in the case of pull requests, only allow pull requests against a signed commit tag). The ability is needed to configure a repository to only allow commits that have been signed and verify that the signature is both valid and trusted. At present, this seems to be the only way to establish a reliable audit trail within Git.
Some sources for details:
http://git-scm.com/book/en/Git-Basics-Tagging
http://mikegerwitz.com/docs/git-horror-story.html
http://git-blame.blogspot.com/2012/01/using-signed-tag-in-pull-requests.html
- is duplicated by
-
BSERV-7983 Possibility for developer spoofing at a git level with BB Server
-
- Closed
-
-
- Closed
-
- Closed
- is related to
-
- Closed
- relates to
-
- Closed
[BSERV-2717] Provide the ability to require and validate signed commits and commit tags
I don't see in this Bitbucket cloud even with a project on the premium tier. Did I miss it, or is there a timescale for adding this support to Bitbucket cloud?
Tim Meusel
added a comment - Ah okay, thanks for the clarification! Hi tim783036947 and vladimir.kolesnik1839644386,
In Bitbucket Server and Bitbucket Data Center 5.0 we shipped a committer verification hook. It is similar in concept but does not involve GPG signing. The committer verification hook, when enabled, requires that pushes contain only commits authored by the user pushing. It is intended as a simpler mechanism to use in that it requires no key management, but also potentially limiting as developers can't push each other's commits.
GPG signed commit verification is on our radar as a separate improvement.
Tim Meusel
added a comment - Oh I wasn't aware of that. I just noticed that my company still uses v4.9.X and not 5.0.0. The "Committer verification" indicates that gpg is used, but doesn't clearly mention it. Do you know if the verification uses gpg?
Tim Meusel
added a comment - Oh I wasn't aware of that. I just noticed that my company still uses v4.9.X and not 5.0.0. The "Committer verification" indicates that gpg is used, but doesn't clearly mention it. Do you know if the verification uses gpg? 
Vladimir Kolesnik
added a comment - Wasn't it fixed? in Bitbucket 5.0? According to release notes https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-0-release-notes-889528342.html it should be offered out of the box. I haven't tested myself, still at 4.14.2.
Vladimir Kolesnik
added a comment - Wasn't it fixed? in Bitbucket 5.0? According to release notes https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-0-release-notes-889528342.html it should be offered out of the box. I haven't tested myself, still at 4.14.2.
Tim Meusel
added a comment - Hi everybody, could we get some progress here? Yes Atlassian, please show in Bitbucket Server history if the commit is signed or not.
Also please add a option to enable the requirement for validated and signed commits for each project and/or repository.
Looks like github added this feature: https://github.com/blog/2144-gpg-signature-verification
The number of votes are one of many factors we consider when planning new features and improvements. For more details take a look at the following document:
https://confluence.atlassian.com/display/Support/Implementation+of+New+Features+Policy
Hi dickon.reed, Bitbucket Cloud has an independent roadmap, and suggestion tracker. You can see the corresponding suggestion to this one at https://bitbucket.org/site/master/issues/3166/support-signed-commits-for-git-and , including the latest status.