This page provides self-serve troubleshooting steps for the most common issues related to the GPG key for Bitbucket Cloud. GPG keys are used to sign commits in Bitbucket Cloud.

Scenario 1: Cannot run gpg: No such file or directory

要約:

When trying to sign commits with a newly configured GPG key, the following error message shows up:

error: cannot run gpg: No such file or directory 
error: gpg failed to sign the data 
fatal: failed to write commit object

Root cause:

GPG is separate package that must be installed for signed commits to work in Bitbucket Cloud. It is generally not installed natively in most distributions and must be installed manually, which can be done using most package managers. If the GPG package is not installed, or Git is unable to identify its path this error message may occur.

ソリューション

There are two steps to fix this issue:

1. Make sure that GPG is correctly installed in your machine. Open your terminal and type in the following command:

   gpg

   
   

   1. If you see the following output from the command above, this means that GPG is correctly configured in your machine:
      

      gpg: directory '/Users/<user>/.gnupg' created
      gpg: WARNING: no command supplied.  Trying to guess what you mean ...
      gpg: Go ahead and type your message ...
      
      

      Proceed to step 2.

      
      

   2. If you don't see any output from the command above, that means GPG is not correctly installed in your machine. Please install it using one of the commands below (based on your distro):

apt update && apt install gpg

yum update && yum install gpg

pacman -Sy && pacman -Ss gpg

 brew install gpg

For Windows and other distributions: You can install GPG manually using binaries for your operating system on the GnuPG Download page.

If the issue persists after installing GPG, proceed to step 2.

2. It's possible that Git is not appropriately configured to know the path for GPG, or the GPG installation on $PATH is malfunctioning. In such cases, Git has a custom application (gpg.program, as explained on Git's documentation) to make and verify signatures. 
The following command can be executed to add this setting to your local git config:

git config --global gpg.program "$(which gpg)"

If the issue persists after following the steps above, please contact support, or reach out through the Atlassian community.

Scenario 2: gpg failed to sign the data

要約:

When attempting to sign commits using an existing GPG key, one may encounter the following error message:

error: gpg failed to sign the data
fatal: failed to write commit object

考えられる根本原因:

1. The GPG key may have expired, which can hinder its functionality;

2. The GPG key may not be configured correctly, preventing Git from utilizing it effectively;

ソリューション

Follow the steps outlined below to ascertain whether any of the aforementioned root causes are relevant to your situation, and take appropriate action to address the issue if necessary.

Check if your GPG key is expired:

1. Run the following command on a test local repository:
   

   GIT_TRACE=1 git commit -m "test"

2. An output like the one below should show up:
   

   GIT_TRACE=1 git commit -m "example commit message"
   09:58:37.841778 git.c:328               trace: built-in: git 'commit' '-vvv' '-m' 'test'
   09:58:37.865129 run-command.c:626       trace: run_command: 'gpg' '--status-fd=2' '-bsau' '1234567890ABCDE'
   error: gpg failed to sign the data
   fatal: failed to write commit object

   Look for the "trace: run_command: 'gpg'" line in your output. In the example above, we are looking for line 3.
   
   
3. Run the same GPG command as shown by your git trace output:

   echo "test" | gpg --status-fd=2 -bsau 1234567890ABCDE

     An echo command is added here to prevent the command from entering the GPG shell.
   
   If you see an error message like the one below being thrown by GPG, it most likely means that your GPG key is expired:
   

   gpg: skipped "1234567890ABCDE": Unusable secret key
   gpg: signing failed: Unusable secret key

   
   
   1. If your GPG key is expired, you can change its expiration date it by running the following commands:
      
      ここをクリックして展開...

      To renew your GPG key, you need to know its ID. You can find a list of GPG keys in your machine using the command below:

      gpg --list-keys

      
      Example output:

      [keyboxd]
      ---------
      pub   rsa3072 2024-12-09 [SC]
            <key_id>
      uid           [ultimate] John Doe (comment) <jdoe@example.com>
      sub   rsa3072 2024-12-09 [E]
      
      

      
      

      Once you know the ID of your GPG key, run the following commands:

      $ gpg --edit-key <key_id>
      
      # GPG shell will initialize
      
      gpg> expire# Follow the onscreen instructions to set a new expiration date. Setting expire to 0 will make the key never expire.

      If you've configured GPG subkeys, you will need to configure a new expiration date for those as well. 
      
      

   2. If you don't see the error message above, proceed to the next troubleshooting step.

Check if the GPG secret key is set properly:

1. List your secret GPG keys:
   

   gpg --list-secret-keys

2. Copy your GPG key.
   Example output:
   

   [keyboxd]
   ---------
   pub   rsa3072 2024-12-09 [SC]
         <key_id>
   uid           [ultimate] John Doe (comment) <jdoe@example.com>
   sub   rsa3072 2024-12-09 [E]
   

3. Set your GPG key in Git:
   

   git config --global user.signingkey <key_id>

   
   If the issue persists after following the steps above, please contact support, or reach out through the Atlassian community.

Scenario 3: (MacOS only) fatal: failed to write commit object - GPG installed through Homebrew

要約:

When utilizing GPG on MacOS, particularly when it has been installed via Homebrew, users may encounter an error message. This situation can arise even after the appropriate configuration of the GPG key for Git and verification that the key has not expired.

error: gpg failed to sign the data
fatal: failed to write commit object

または

gpg: signing failed: Inappropriate ioctl for device

Root causes:

When installing GPG via Homebrew on MacOS, certain configurations may need to be addressed to ensure proper functionality:

1. It is essential to configure the $GPG_TTY environment variable for the Homebrew installation of GPG.

2. Additionally, an external program is necessary to facilitate password entry for your GPG key.
   
   

ソリューション

Go through the steps below to complete the configuration of GPG, which was installed via Homebrew on a Mac:

1. Begin by opening your terminal. Execute the following command to manually set the $GPG_TTY environment variable:

   if [ -r ~/.zshrc ]; then echo 'export GPG_TTY=$(tty)' >> ~/.zshrc; \
   else echo 'export GPG_TTY=$(tty)' >> ~/.zprofile; fi

2. Next, install "pinetry-mac" using Homebrew to enable GPG to handle password entry effectively.

brew install pinentry-mac
echo "pinentry-program $(which pinentry-mac)" >> ~/.gnupg/gpg-agent.conf
killall gpg-agent

If the issue persists after following the steps above, please contact support, or reach out through the Atlassian community.

Scenario 4: Commit signature verification failed - (pre-receive hook declined)

要約:

When pushing commits or tags to a Bitbucket Cloud repository you may see the following error message:

remote: Commit signature verification failed
To https://bitbucket.org/<workspace>/<repo>.git
 ! [remote rejected] branch -> branch (pre-receive hook declined)
error: failed to push some refs to 'https://bitbucket.org/<workspace>/<repo>.git'

Root cause:

This error message shows when enforced signed commits is turned on for the repository and your push containing non-signed commits.

You can check which commits are signed in your git history by running the following command.

git log --show-signature 

If your commit is signed, the output will show information about the key that was used as below:

commit abcdefghijklmnopqrstuwvxyz0123456789 (origin/nbranch, origin/HEAD)
gpg: Signature made Thu Dec 12 16:05:15 2024 -03
gpg:                using RSA key 1234567890ABCDE
gpg: Good signature from "John (:D) <jdoe@example.com>" [ultimate]
Author: John Doe <jdoe@example.com>
Date:   Thu Dec 12 16:05:15 2024 -0300

ソリューション

1. Check the command used to create your commits. Make sure that you've signed your commit using the -S flag on the git commit command:
   

   git commit -S -m "Commit message"

   
   
   
2. Check your GPG key, and make sure the key you have locally matches the key you've added to Bitbucket:
   1. Run the following command on your terminal:
      

      gpg --list-secret-keys --keyid-format LONG

   2. Check the output about the above key, it should show something like this. Please note email (uid field), GPG Signing key (the text after '/' in sec field) and Sub key (ssb field)
      

      gpg --list-secret-keys --keyid-format LONG
      
      [keyboxd]
      ---------
      sec   rsa3072/123456789ABCDEF 2024-12-09 [SC]
            FA6BC6AC6675DB51234567890ABCDE
      uid                 [ultimate] John (Message) <jdoe@example.com>
      ssb   rsa3072/ZWXY09876543LE00 2024-12-09 [E]

   3. In Bitbucket, navigate to your personal settings > GPG keys. Make sure the output above matches with the key in Bitbucket (GPG Signing Key, Email and Sub key)
      
3. Check your git config, and make sure Git is configured to know your GPG key:
   1. Run the following command on your terminal
      

      git config --global

   2. Look for the following line and the key should match with the output of the previous commands
      

      user.signinkey=<yourKeyHere>

   3. If there is no GPG Signing key configured or it is not matching,  configure your GPG Signing key by running the following command:
      

      git config --global user.signingkey <yourKey>