Update documentation on GPG signing and DCO requirements

Signed-off-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: Copilot

CONTRIBUTING.md

@@ -39,10 +39,17 @@ All contributions come through pull requests. To submit a proposed change, we re
 
 A good way to communicate before investing too much time is to create a "Work-in-progress" PR and share it with your reviewers. The standard way of doing this is to add a "[WIP]" prefix in your PR's title and open the pull request as a draft.
 
-### Developer Certificate of Origin: Signing your work
+### Developer Certificate of Origin and GPG Signing
 
 #### Every commit needs to be signed
 
+This project requires two types of signatures on all commits:
+
+1. **Developer Certificate of Origin (DCO) Sign-off**: A text attestation that you have the right to submit the code
+2. **GPG Signature**: A cryptographic signature verifying your identity
+
+**For DCO Sign-offs:**
+
 The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the [DCO](https://developercertificate.org/), reformatted for readability:
 ```
 By making a contribution to this project, I certify that:
@@ -70,19 +77,51 @@ Git even has a `-s` command line option to append this automatically to your com
 git commit -s -m 'This is my commit message'
 ```
 
-Each Pull Request is checked  whether or not commits in a Pull Request do contain a valid Signed-off-by line.
+**For GPG Signatures:**
+
+GPG signatures verify the identity of the committer. To set up GPG signing:
+
+1. Generate a GPG key and configure Git to use it:
+   ```sh
+   git config --global user.signingkey YOUR_KEY_ID
+   git config --global commit.gpgsign true
+   ```
+
+2. Sign commits with the `-S` flag (or rely on the automatic signing from the above configuration):
+   ```sh
+   git commit -S -m 'This is my signed commit message'
+   ```
+
+3. For both DCO sign-off and GPG signature in one command:
+   ```sh
+   git commit -S -s -m 'This is my signed and signed-off commit message'
+   ```
+
+For detailed instructions on setting up both signature types, see [docs/dco-compliance.md](./docs/dco-compliance.md).
+
+Each Pull Request is checked to ensure all commits contain valid DCO sign-offs and GPG signatures.
 
 #### I didn't sign my commit, now what?!
 
 No worries - You can easily replay your changes, sign them and force push them!
 
+**For adding both DCO sign-off and GPG signature:**
 ```sh
 git checkout <branch-name>
-git commit --amend --no-edit --signoff
+git commit --amend --no-edit -S -s
 git push --force-with-lease <remote-name> <branch-name>
 ```
 
-*Credit: This doc was cribbed from Dapr.*
+**For fixing multiple commits:**
+```sh
+git rebase -i HEAD~n  # Replace n with the number of commits to fix
+# Change 'pick' to 'edit' for each commit
+# For each commit:
+git commit --amend --no-edit -S -s
+git rebase --continue
+```
+
+For more detailed instructions on fixing commits, see [docs/dco-compliance.md](./docs/dco-compliance.md).
 
 ### Rust Analyzer
 

README.md

@@ -279,4 +279,9 @@ See the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code
 
 ## Development
 
-All commits to this repository are signed with GPG verified signatures and include DCO sign-offs. See the [CONTRIBUTING.md](./CONTRIBUTING.md#developer-certificate-of-origin-signing-your-work) file for more information on DCO requirements.
+All commits to this repository require:
+
+1. **GPG Verified Signatures**: Each commit must be cryptographically signed using GPG to verify the committer's identity.
+2. **DCO Sign-offs**: Each commit must include a Developer Certificate of Origin sign-off line.
+
+For details on configuring both requirements, see [docs/dco-compliance.md](./docs/dco-compliance.md) and the [CONTRIBUTING.md](./CONTRIBUTING.md#developer-certificate-of-origin-signing-your-work) file.

docs/dco-compliance.md

@@ -1,11 +1,18 @@
-# DCO Compliance
+# Commit Signing Requirements
 
-This document explains how to ensure your commits comply with the Developer Certificate of Origin (DCO) requirements for this project.
+This document explains how to ensure your commits comply with both the Developer Certificate of Origin (DCO) requirements and GPG signing requirements for this project.
 
 ## What is the DCO?
 
 The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. See the full text in the [CONTRIBUTING.md](../CONTRIBUTING.md#developer-certificate-of-origin-signing-your-work) file.
 
+## Two Required Signature Types
+
+All commits to this repository must have two types of signatures:
+
+1. **DCO Sign-off**: A `Signed-off-by` line in the commit message
+2. **GPG Signature**: A cryptographic signature verifying the committer's identity
+
 ## Adding DCO Sign-offs to Commits
 
 All commits must include a `Signed-off-by` line in the commit message. This line certifies that you have the right to submit your contribution under the project's license.
@@ -36,22 +43,122 @@ git config --global alias.cs 'commit -s'
 
 Then use `git cs` instead of `git commit` to create commits with sign-offs.
 
-### Adding Sign-offs to Existing Commits
+## GPG Signing Your Commits
+
+In addition to DCO sign-offs, all commits must be GPG signed to verify your identity.
+
+### Setting Up GPG
+
+1. If you don't have a GPG key, generate one:
+
+   ```sh
+   gpg --full-generate-key
+   ```
+   
+   Choose RSA and RSA, 4096 bits, and an expiration date of your preference.
+
+2. List your keys to get the ID:
+
+   ```sh
+   gpg --list-secret-keys --keyid-format=long
+   ```
+   
+   Look for the line starting with "sec" and note the key ID after the "/".
+
+3. Configure Git to use your GPG key:
+
+   ```sh
+   git config --global user.signingkey YOUR_KEY_ID
+   ```
+   
+   Replace YOUR_KEY_ID with your actual GPG key ID.
 
-If you forgot to sign off your commits, you can amend them:
+4. Configure Git to sign commits automatically:
+
+   ```sh
+   git config --global commit.gpgsign true
+   ```
+
+### Creating GPG Signed Commits
+
+With automatic signing enabled, normal commit commands will create signed commits. You can also explicitly sign with:
 
 ```sh
-git commit --amend --no-edit --signoff
+git commit -S -m "Your commit message"
 ```
 
-For multiple commits, you can use git rebase:
+To create a commit with both GPG signature and DCO sign-off:
 
 ```sh
-git rebase --signoff HEAD~n
+git commit -S -s -m "Your commit message"
 ```
 
-Replace `n` with the number of commits you want to sign off.
+### Adding Your GPG Key to GitHub
+
+1. Export your public key:
+
+   ```sh
+   gpg --armor --export YOUR_KEY_ID
+   ```
+
+2. Copy the output and add it to your GitHub account under Settings > SSH and GPG keys.
+
+## Adding Both Signatures to Existing Commits
+
+If you forgot to sign your commits, you can fix them:
+
+### For the Last Commit
+
+```sh
+git commit --amend --no-edit -S -s
+```
+
+### For Multiple Commits
+
+For adding both DCO sign-offs and GPG signatures to a range of commits, use interactive rebase:
+
+1. Start the rebase:
+
+   ```sh
+   git rebase -i HEAD~n
+   ```
+   
+   Replace `n` with the number of commits you want to sign.
+
+2. In the editor, change `pick` to `edit` for each commit.
+
+3. For each commit that opens during the rebase:
+
+   ```sh
+   git commit --amend --no-edit -S -s
+   git rebase --continue
+   ```
+
+Alternatively, for adding just DCO sign-offs to multiple commits:
+
+```sh
+git rebase --signoff HEAD~n
+```
 
 ## Verification
 
-The project uses automated checks to verify that all commits include the required DCO sign-off. If you receive a DCO failure notification, please follow the instructions above to add the required sign-offs.
+The project uses automated checks to verify that all commits include both the required DCO sign-off and GPG signature. If you receive a signature verification failure notification, please follow the instructions above to add the required signatures.
+
+## Troubleshooting
+
+### GPG Signing Issues
+
+If you encounter issues with GPG signing:
+
+- Ensure your GPG key is properly generated and configured with Git
+- Set the `GPG_TTY` environment variable: `export GPG_TTY=$(tty)`
+- For Git GUI tools, you may need to configure GPG agent
+- On Windows, you might need to specify the full path to gpg.exe
+
+### DCO Sign-off Issues
+
+If you encounter issues with DCO sign-offs:
+
+- Ensure your Git user name and email are correctly configured
+- Check that the commit author email matches your configured email
+- For commits created through GitHub's web interface, you'll need to add the sign-off manually in the commit message