The git commit signature validation does not utilize email aliases. This is a rather big problem for longer lived projects where a developers emails have changed one or more times.

Well, well, well...

After almost 13 years in development, and after several project managers/developers have been assigned to this task, never to go further than promising an impossible-to-fulfil deadline and leaving the task (and perhaps even the company itself!) before the estimated date of completion...

... congratulations, 1c505570e116, you did it!!

I lost a few bets in the process, but, thankfully, they were placed so long ago that inflation made me pay a much smaller amount than predicted 🤣

I'm just joking. I didn't place any bets. I felt tempted, though!

Nevertheless...

The most annoying bit of having waited so many years for a basic and almost trivial issue like this was to see the work come to completion — and I cannot test it:

There had to be a caveat!

Now, of course, as a free & basic user, I'm really not 'entitled' to demand that Atlassian spends 13 years in development of a featurette and then is somehow 'compelled' to offer it for free.

Obviously, someone has to pay for the tremendous effort made over such a long time, and just because there was a visible erosion in the user base that spent their time leaving a 'last comment before I say bye-bye to Bitbucket forever' before, well, picking up all their repositories and move to the, uh, competition, the others who have faithfully been around for such a long time, still believing in miracles, are surely expected to bear the costs. Right?

I mean, it's not as if other Git operators aren't offering this feature absolutely for free — plus a thousand extra bells and whistles which aren't even in Bitbucket's pipeline (pun intended)... right?

Aye, that was sarcasm, in case you missed it. 😏

Anyway...

Of course, after such a long time of waiting, I'm sorely disappointed that this is something I will never be able to test out. Which is really sad, as my favourite code editor, some, uh, 3 or 4 years ago had also added built-in support for commit signing (they had an excuse for not having it built-in since the beginning: the library they're using, and which is a pretty standard one, didn't support commit signing) — previously, I just simply added a scripted command to launch git in a shell in the background. But now, well, it's bulit-in and it works flawlessly. Of course, I know that it works, because, well, the competing Git repositories all support it. I was looking forward to testing it today with Bitbucket as well.

Egad. Clearly this is not going to happen.

That said, I presume that sooner or later this ticket will be closed to comments and its history buried under a rock somewhere; after all, those who are willing to pay for this service (and one can only imagine that the reason for doing so is that the company they work for has an over-reaching contract with Atlassian, where Bitbucket is included) will have got exactly what they have wanted.

It's just us, free riders, who are unhappy.

Still, I guess it was really asking too much...

That said, I bid you all farewell (Atlassian included) and wish you all the best in your future endeavours, which I will watch with interest, but from afar. I also wish you better middle-to-upper management overall. Who knows, perhaps someone will, after all, figure out how to leverage the vast infrastructure deployed by Atlassian to tackle the competition in those simple things such as, well, having signed commits on repos...

You take care, and be well.

1c505570e116 would be amazing if you could implement a fix for this as well - BCLOUD-23511

Thank you 1c505570e116 and all of the team that completed this functionality including SSH key support ❤️

1c505570e116  Quick question about the March 6th update to include SSH keys (thank you!!) - the edited deleted the text "and system signed".

I am interested in system signed commits - by "system signed" i'm imaging that the repo can use it's pipelines ssh keys to sign commits that it makes? Is this the current state of this:

1. It already just works - any git commit made by pipelines with the system keys configured for push will sign commits using these keys. This would be :amaze: :magic: (but i think its hard because my setup has a few more layers that i suspect need special treatment).
2. As already supported as it needs to be, because a build running in pipelines has access to the keys, and i just need to configue my git to sign using these keys (which is is already using to other repos for example). I can probably figure this out if so, but a pointer to documentation specific to Bitbucket (i know how to configure git to sign commits) might be handy if it exists.
3. Planned to get additional support so that something just works out of the box when using bitbuckets documented support for pushing back to the host repository - i.e. SSH Key pair managed by Bitbucket Pipelines section of https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/ (yes i know the signing happens at commit not push, but it feels like you want the push because you made the commit, so maybe there's some "works out of the box" here). I.e. this is "we want (1) but its not done yet".
4. Split into another issue (since i gather that it's not part of this issue any more based on this deletion and the fact this issue is closed),  
   in which case can you link the issue for supporting system signed commits
5. Not supported, and no work currently planned / moved to gathering interest (in which latter case i'd like an issue so it can gather my interest )
6. Not supported and planned to be not implemented (in which case i can roll my own completely i guess, but i'd also be interested in the reasoning here).

My guess is (2) - but i thought i'd check before diving in - if so, a quick ack of this would be appreciated.

Launch support for signing commits with both SSH and GPG keys.

Is there any news on Signed Commits Using SSH Keys? I'm a bit afraid this items is going to get closed without taking this into account. I do want to remind that in the past, signing commits with SSH keys was a thing that was supported.

Great that this works now! It took only 13 years to implement commit verification...

Above link ( https://www.atlassian.com/blog/bitbucket/strengthen-code-security-with-signed-commits ) is a 404.

Is there a timeline for verification against ssh keys? This should be the first choice because the most devs should have them in place.