Use SSH keys to sign commits
Limitations for signed commits
At this time, only commits pushed in the CLI can be verified using an SSH key.
You can use SSH keys to sign commits with an SSH key that you generate yourself. For more information, see the Git reference documentation for user.Signingkey
. If you already use an SSH key to authenticate with Bitbucket, you can use that same key to sign commits. There's no limit on the number of signing keys you can add to your account.
SSH signature verification is available in Git 2.34 or later. To update your version of Git, see the Git website.
Check for existing SSH keys
If you're not sure if you have a SSH key already, you can check for existing SSH keys locally.
To check if you have existing SSH keys:
In a terminal, use this command to list SSH keys you have access to:
ls -al ~/.ssh
Check the output to see if you have a SSH key pair.
Generate and add a new SSH key
To generate and add your new SSH key to sign commits, follow the steps according to the operating system you use.
MacOS: Set up personal SSH keys on macOS | Bitbucket Cloud | Atlassian Support
Windows: Set up personal SSH keys on Windows | Bitbucket Cloud | Atlassian Support
Linux: Set up personal SSH keys on Linux | Bitbucket Cloud | Atlassian Support
Sign commits with an SSH key
To sign commits with an SSH key, follow the steps below using your terminal (CLI).
Tell Git about your key format:
git config --global gpg.format ssh
Tell Git which key to use to sign your commits. To do this, replace ~/.ssh/id_rsa.pub in the example below with your public key.
git config --global user.signingkey ~/.ssh/id_rsa.pub
When committing changes to a local branch, use the
-S
flag to thegit commit
command:git commit -S -m "your commit message"
Enter the passphrase for your SSH key.
Verify that your commit was signed:
git log --show-signature -1
Note: You will need to setup an
allowed_signers
file in your~/.ssh/
directory. For more information, see the Git documentation forallowedSignersFile
. Make sure to use the email address associated with your Bitbucket account. Refer to the example below.echo "bitbucket@example.com $(cat ~/.ssh/id_rsa.pub)" > ~/.ssh/allowed_signers git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
Consider re-running ssh-agent, if needed.
ssh-add ~/.ssh/id_rsa.pub eval $(ssh-agent)
Signature verification statuses
Status | Result |
---|---|
Verified |
|
Unverified ⚠️ |
|
No Signature |
|
Was this helpful?