Should we sign/check merge commits?

[coderanger]

trafficstars

git merge doesn't seem to have any particularly obvious way to do the equivalent of -s which makes me think we should probably just ignore any multi-parent commit. The flipside is that is isn't impossible for a merge commit to introduce non-trivial code contributions if there was a merge conflict, so for safety it might be better to check for them.

UX-friendly middle ground might be to have dco sign update merge commits but have dcob and dco check not require them.

What does dcob do currently? /cc @robbkidd @thommay @nathenharvey @adamhjk