Use GPG keys to sign commits

Limitations for signed commits

At this time, only commits pushed in the CLI can be verified using a GPG key signature.

Using GPG keys

GPG keys are a way to sign and verify work from trusted collaborators. This page describes how to generate a GPG key to sign and verify commits or tags for use with Bitbucket Cloud.

GPG キーについて

GPG is a command line tool used together with Git to encrypt and sign commits or tags to verify contributions in Bitbucket. In order to use GPG keys with Bitbucket, you'll need generate a GPG key locally, add it to your Bitbucket account, and also set it up for use with Git. If you already have a GPG key ready to go, you can jump straight to the Add a GPG key to Bitbucket section. 

GPG のインストール

If you don't already have GPG, you'll need to install it locally. You can install GPG manually using binaries for your operating system on the GnuPG Download page or use a package manager, such as Homebrew.

To install the GPG command line tools using Homebrew:

1 brew install gnupg

既存の GPG キーの確認

GPG キーをすでに持っているかどうかが不明な場合、既存の GPG キーをローカルで確認できます。

既存の GPG キーを持っているかどうかの確認方法

  1. ターミナルで次のコマンドを使用して、自身がアクセス権を持つ GPG キーの一覧を表示します。

    1 gpg --list-secret-keys --keyid-format LONG
  2. 出力に GPG キーのペアがあるかどうかを確認します。

  3. If there are no GPG key pairs, you'll need to generate a new GPG key.

    If there are GPG key pairs you want to use, you'll need to add them to your Bitbucket account.

新しい GPG キーの生成

コミットやタグに署名するために新しい GPG キーを生成するには、GPG がインストール済みである必要があります。

新しい GPG キーの生成方法

  1. ターミナルで次のコマンドを使用して GPG キーを生成します。

    1 gpg --full-generate-key
  2.  プロンプトで確認される情報を提供します。

    1. ID 情報を入力します。

    2. セキュアなパスフレーズを入力します。

Make sure you use the email associated with your Bitbucket account and choose a secure passphrase and store in your password manager.

  1. 次のコマンドを使用して GPG キーの一覧を表示します。

    1 gpg --list-secret-keys --keyid-format=long
  2. Copy the GPG key fingerprint to use with Bitbucket. For example, below the GPG key fingerprint is 8F2F8C1E26E0069BC7FE7E258AEDA33EA0CA3AF6.

    1 2 3 4 5 6 7 8 9 10 11 12 gpg --list-secret-keys --keyid-format=long gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2025-10-24 [keyboxd] --------- sec ed25519/8AEDA33EA0CA3AF6 2024-10-24 [SC] [expires: 2025-10-24] 8F2F8C1E26E0069BC7FE7E258AEDA33EA0CA3AF6 uid [ultimate] eilen shahbaz (my bitbucket gpg key) <eshahbaz@atlassian.com> ssb cv25519/5123BDCC83E0FF13 2024-10-24 [E] [expires: 2025-10-24]
  3. Paste the GPG key ID into this command to export the public key you will enter in Bitbucket.

    1 2 gpg --armor --export 8F2F8C1E26E0069BC7FE7E258AEDA33EA0CA3AF6 # Prints the GPG key ID, in ASCII armor format
  4. From the output, copy your public GPG key, which starts at -----BEGIN PGP PUBLIC KEY BLOCK----- and ends at  -----END PGP PUBLIC KEY BLOCK-----.

You can now add your public GPG key to your Bitbucket account.

Add a GPG key

In order to use your GPG key with Bitbucket, you need to have GPG installed, and have generated a GPG key to add.

To add your GPG key to:

  1. Select Settings ⚙️ on the top navigation bar.

  2. Select Personal Bitbucket settings from the Settings dropdown menu.

  3. Select GPG keys under Security on the left sidebar.

  4. Select the Add key button.

  5. (Optional) Provide a name for your GPG key.

  6. GPG キーをコピーします。

  7. Paste your GPG key in the Key field.

  8. Select the Add key button.

GPG キーを使用するように Git を構成

In order to use GPG keys with Bitbucket, you need to configure your local version of Git which GPG key to use.

GPG キーを使用するように Git を構成する方法

  1. GPG キーの ID をコピーします。

    • GPG キーの一覧を表示するには、次のコマンドを使用します。

    1 gpg --list-secret-keys --keyid-format LONG

     

    Copy the GPG key ID to use with Bitbucket. For example, below the GPG key ID is 7FFFC09ACAC05FD0.

    1 2 3 4 5 6 7 gpg --list-secret-keys --keyid-format LONG /Users/bitbucketbot/.gnupg/pubring.gpg ------------------------------ sec rsa2048/7FFFC09ACAC05FD0 2017-06-02 [SC] [expires: 2019-06-02] 5538B0F643277336BA7F0E457FFFC09ACAC05FD0 uid [ultimate] BitbucketBot <bitbucket@realaddress.com> ssb rsa2048/95E8A289DFE77A84 2017-06-02 [E] [expires: 2019-06-02]
  2. 次のコマンドに GPG キーの ID をペーストし、Git に GPG キーを設定します。

    1 git config --global user.signingkey MY_KEY_ID

GPG キーを使用してコミットおよびタグに署名

In order to sign commits and tags with a GPG key in Bitbucket, you need to have:

GPG キーでコミットに署名する方法

  1. Tell git about your key using fingerprint or key_id, for example, 8F2F8C1E26E0069BC7FE7E258AEDA33EA0CA3AF6

    1 git config --global user.signingkey <KEY_ID>
  2. Run the following command in the zsh shell to add the GPG key to your .zshrc file, if it exists, or your .zprofile file:

    1 2 3 if [ -r ~/.zshrc ]; then echo -e '\nexport GPG_TTY=$(tty)' >> ~/.zshrc; \ else echo -e '\nexport GPG_TTY=$(tty)' >> ~/.zprofile; fi source ~/.zshrc && source ~/.zprofile
  3. When committing changes to a local branch, use the -S flag to the git commit command:

    1 git commit -S -m "your commit message"
  4. GPG キーのパスフレーズを入力します。

  5. Verify that your commit was signed

    1 git log --show-signature

Signature verification statuses

ステータス

結果

検証済み

  • Trusted author has signed the commit and the signature has been verified.

Unverified ⚠️

  • The commit possesses a GPG signature, but verification fails due to an email mismatch.

  • The key utilized for signing the commit has not been uploaded to a Bitbucket user account.

  • The key for signing the commit is either unsupported or invalid (deleted or revoked).

No Signature

  • The commit was created before the implementation of signed commits.

  • The commit hasn’t been signed.

  • The commit has been made through the Bitbucket web interface.

  • The commit was made with a merge strategy.

Save your passphrase in a keychain

To store your GPG key passphrase so you don’t have to enter it every time you sign a commit, we recommend using the following tools:

  • For Mac users, the GPG Suite allows you to store your GPG key passphrase in the macOS Keychain.

  • For Windows users, the Gpg4win integrates with other Windows tools.

You can also manually configure gpg-agent to save your GPG key passphrase, but this doesn’t integrate with macOS Keychain like ssh-agent and requires more setup.

さらにヘルプが必要ですか?

アトラシアン コミュニティをご利用ください。