Use SSH keys to sign commits

Limitations for signed commits

At this time, only commits pushed in the CLI can be verified using an SSH key.

You can use SSH keys to sign commits with an SSH key that you generate yourself. For more information, see the Git reference documentation for user.Signingkey. If you already use an SSH key to authenticate with Bitbucket, you can use that same key to sign commits. There's no limit on the number of signing keys you can add to your account.

SSH signature verification is available in Git 2.34 or later. To update your version of Git, see the Git website.

Check for existing SSH keys

If you're not sure if you have a SSH key already, you can check for existing SSH keys locally.

To check if you have existing SSH keys:

  1. In a terminal, use this command to list SSH keys you have access to:

    ls -al ~/.ssh
  2. Check the output to see if you have a SSH key pair.

Generate and add a new SSH key

To generate and add your new SSH key to sign commits, follow the steps according to the operating system you use.

Sign commits with an SSH key

To sign commits with an SSH key, follow the steps below using your terminal (CLI).

  1. Tell Git about your key format:

    git config --global gpg.format ssh
  2. Tell Git which key to use to sign your commits. To do this, replace ~/.ssh/id_rsa.pub in the example below with your public key.

    git config --global user.signingkey ~/.ssh/id_rsa.pub
  3. When committing changes to a local branch, use the -S flag to the git commit command:

    git commit -S -m "your commit message"
  4. Enter the passphrase for your SSH key.

  5. Verify that your commit was signed:

    git log --show-signature -1

    Note: You will need to setup an allowed_signers file in your ~/.ssh/ directory. For more information, see the Git documentation for allowedSignersFile. Make sure to use the email address associated with your Bitbucket account. Refer to the example below.

    echo "bitbucket@example.com $(cat ~/.ssh/id_rsa.pub)" > ~/.ssh/allowed_signers git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
  6. Consider re-running ssh-agent, if needed.

    ssh-add ~/.ssh/id_rsa.pub eval $(ssh-agent)

Signature verification statuses

Status

Result

Verified

  • Trusted author has signed the commit and the signature has been verified.

Unverified ⚠️

  • The commit possesses a SSH signature, but verification fails due to an email mismatch.

  • The key utilized for signing the commit has not been uploaded to a Bitbucket user account.

  • The key for signing the commit is either unsupported or invalid (deleted or revoked).

No Signature

  • The commit was created before the implementation of signed commits.

  • The commit hasn’t been signed.

  • The commit has been made through the Bitbucket web interface.

  • The commit was made with a merge strategy.

 

Still need help?

The Atlassian Community is here for you.