Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why is code-signing necessary in source control?

Ganthe, Yash
Ganthe, Yash
February 24, 2026

Lots of articles state that code signing is necessary to verify the integrity of the code. If someone were to tamper with the code, this can be prevented?

This article talks about code signing being introduced as a feature: Signed commits

But how does one tamper with the code in the first place?

If a developer commits the code and pushes it to Bitbucket or GIT repository, it will be safe there. What is the point at which an attacker can tamper with the code?

If the answer is: After the commit and before the push, that can happen in other ways as well. After the file is edited by the developer, an attacker may modify it. The developer will end up committing and pushing the corrupted file.

After the file is pushed, can somebody modify it on the filesystem of the source control server?

If the file is modified on the filesystem of bitbucket, does bitbucket detect it immediately and log it as error or warning?

I am just trying to understand the scenario that necessitates code signing.

Answer
Watch
Like Be the first to like this
93 views

1 answer

1 accepted

1 vote
Answer accepted
Charlie Misonne
Charlie Misonne
Community Champion
February 24, 2026

Hi @Ganthe, Yash 

This is a great question.

For me it's all about making sure the displayed author of commit is really the person who committed.

Bitbucket will match your user based on you gitconfig's user.email property.
You can set john.doe@example.com in your gitconfig, commit and push --> Bitbucket will display the author of the commit as being your colleague John Doe.

I just tried this on Bitbucket Data Center by the way: profile picture, display name and email of my colleague shows up next to the commit but it was me doing the commit, with my personal authentication.

With signed commits there is a verification: you signing key is secret and belongs to you, nobody else has it. So if your commit is signed with your key everyone can be sure the commit came from you.

 

I hope you will get more and better replies. But for me this is a simple example of how GIT acts and I think a lot of people are not aware of this.
This behavior is not only in Bitbucket by the way. You'll probably see it in any git solution.

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security