Skip to content

Commit efc8f5f

Browse files
docs(dx): document GPG signing requirement for commits (#674)
* docs(dx): document GPG signing requirement for commits Surfaced during PR #672 review: @jordane confirmed GPG signing is enforced by repo policy, but neither CLAUDE.md nor .claude/rules/commit-workflow.md mentioned it. Both said only DCO sign-off was required, which caused churn during that review. - CLAUDE.md: updated the single-line commit guidance to `git commit --signoff -S` and noted both signatures are enforced. - .claude/rules/commit-workflow.md: added a "Commit Signing" section with one-time GPG setup, the standard commit command, and a signature-verification snippet for branch validation. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org> * docs(dx): align contributor docs with GPG-enforcement policy Address PR #674 review feedback from @copilot-pull-request-reviewer and @jordane. - CONTRIBUTING.md (Sign-off section): renamed to "Sign-off and GPG Signing", expanded to require both --signoff and -S, included one-time GPG config, and pointed at .claude/rules/commit-workflow.md as the canonical policy source (per @copilot-pull-request-reviewer) - .claude/agents/code-standards-enforcer.md (General Rules checklist): updated the commit-signing item to require both --signoff and -S with a cross-reference to commit-workflow.md (per @copilot-pull-request-reviewer) - .claude/rules/commit-workflow.md (verification snippet): relaxed acceptable %G? codes to G or U (good-but-untrusted is fine for policy), documented that N/B/E need investigation, and noted that GitHub's Verified badge is the authoritative post-push check since local %G? depends on which keys are in the user's trust db (per @copilot-pull-request-reviewer and @jordane) Resolves 2 review threads. Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org> --------- Signed-off-by: Manish Dixit <mdixit@linuxfoundation.org> Co-authored-by: David Deal <ddeal@linuxfoundation.org>
1 parent 939cc68 commit efc8f5f

4 files changed

Lines changed: 40 additions & 6 deletions

File tree

.claude/agents/code-standards-enforcer.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -231,7 +231,7 @@ Every backend endpoint must follow: **service** → **controller** → **route**
231231
- [ ] **License headers** on ALL source files (`.ts`, `.html`, `.scss`)
232232
- [ ] **yarn only** — never npx or other package runners
233233
- [ ] **`docker compose`** not `docker-compose`
234-
- [ ] **Git commits signed off** with `--signoff`
234+
- [ ] **Git commits signed off AND GPG-signed** with `--signoff -S` (both required per repo policy — see `.claude/rules/commit-workflow.md`)
235235
- [ ] **No Claude co-author** in commits
236236
- [ ] **Linting errors fixed** after changes
237237

.claude/rules/commit-workflow.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,32 @@ globs: '*'
1515
- `feat(auth): add OAuth2 integration`
1616
- `fix(ui): resolve mobile button alignment`
1717

18+
## Commit Signing
19+
20+
All commits must be both DCO-signed and GPG-signed:
21+
22+
- **DCO sign-off (`--signoff`)** — required by repo policy; validated by the Probot DCO check in CI. The `Signed-off-by: Name <email>` trailer is appended automatically when you pass `--signoff` (or `-s`).
23+
- **GPG signature (`-S`)** — required by repo policy; commits must have a valid GPG signature attached. Configure a signing key once and Git will pick it up for every commit:
24+
25+
```bash
26+
git config --global user.signingkey <KEY_ID>
27+
git config --global commit.gpgsign true
28+
```
29+
30+
Standard commit command:
31+
32+
```bash
33+
git commit --signoff -S -m "<type>(<scope>): <subject>"
34+
```
35+
36+
If signing fails, fix the underlying issue — do not push unsigned commits. To verify signature status on a branch's commits:
37+
38+
```bash
39+
git log --format='%G? %h %s' origin/main..HEAD
40+
```
41+
42+
Acceptable `%G?` codes: `G` (good signature) or `U` (good signature, signing key isn't in your local trust db — fine for policy purposes). Codes `N` (no signature), `B` (bad signature), or `E` (cannot check — e.g., missing public key locally) need investigation. Note that the authoritative GPG check is GitHub's **Verified** badge on each commit after push — if your signing key isn't registered with GitHub, the local check can pass while GitHub still marks the commit as unverified.
43+
1844
## Branch Naming
1945

2046
- Branch names follow commit types followed by the JIRA ticket number

CLAUDE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ Utilities split into **generic** helpers (date/time, string, url, file, form, ht
127127

128128
- Follow Angular commit format: `type(scope): description`. Valid types: `feat, fix, docs, style, refactor, perf, test, build, ci, revert`**`chore` is not allowed** by commitlint.
129129
- Commit header is capped at **72 characters** (commitlint `header-max-length`).
130-
- Always use `git commit --signoff` (DCO enforced).
130+
- Always use `git commit --signoff -S` — both DCO sign-off (`--signoff`) and GPG signing (`-S`) are enforced by repo policy. See `.claude/rules/commit-workflow.md` for setup.
131131
- Pre-commit runs `./check-headers.sh`, `npx lint-staged` (prettier + lint on staged files), then repo-wide `yarn format:check`, `yarn lint:check`, and `yarn check-types`. Only `lint-staged` is scoped to staged files — the rest run on the whole repo. You don't need to run `yarn format` manually; `lint-staged` already prettifies staged files. If a commit fails, fix the reported issue and retry.
132132
- See `.claude/rules/commit-workflow.md` for PR title / sizing / JIRA details.
133133

CONTRIBUTING.md

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -235,15 +235,23 @@ middleware with proper token refresh handling.
235235
Closes #123
236236
```
237237

238-
### Sign-off
238+
### Sign-off and GPG Signing
239239

240-
All commits must be signed off:
240+
All commits must be both DCO-signed and GPG-signed:
241241

242242
```bash
243-
git commit --signoff
243+
git commit --signoff -S
244244
```
245245

246-
This adds a `Signed-off-by` line to your commit message.
246+
- `--signoff` adds the `Signed-off-by:` trailer required by the DCO check in CI.
247+
- `-S` adds a GPG signature; configure your signing key once and Git will pick it up for every commit:
248+
249+
```bash
250+
git config --global user.signingkey <KEY_ID>
251+
git config --global commit.gpgsign true
252+
```
253+
254+
See `.claude/rules/commit-workflow.md` for the canonical signing policy and instructions for verifying your branch's commits before pushing.
247255

248256
## Pull Request Process
249257

0 commit comments

Comments
 (0)