gitsign icon indicating copy to clipboard operation
gitsign copied to clipboard
verified publisher icon sigstore

Native support for CLA sign-off (starting with DCO)

Open marshall007 opened this issue 2 years ago • 2 comments

Description

https://en.m.wikipedia.org/wiki/Developer_Certificate_of_Origin

I believe the typical requirement for DCO commits is the same as committer verification in gitsign (i.e. that the identity matches the commit author).

I think there are two integration points worth considering:

  1. when a commit message contains a Signed-off-by line, enable gitsign.matchCommitter unless it is explicitly set to false
  2. add support for specifying well-known CLAs in the form of extra scopes requested during the OAuth flow

Perhaps these scopes could be specified in the form of URNs (ex. urn:sigstore:gitsign:cla:dco)? Sigstore can then present the requested CLA(s) to the developer on the OAuth consent screen.

TBD how we map the acceptance of requested scopes into the JWTs and ultimately the signing certificate.

marshall007 avatar May 30 '23 17:05 marshall007

The idea would be to replace integrations like the DCO GitHub App with something like gitsign verify ... --cla dco.

marshall007 avatar May 30 '23 17:05 marshall007

🎉 I like it!

We've been a bit resistant to recommending gitsign as a replacement for DCO, since cryptographic signing serves a different purpose than the DCO sign-off (i.e. signing something w/ your identity doesn't mean you agree to a CLA), but I like the idea of using an extra scope to signify the DCO consent.

wlynch avatar May 31 '23 17:05 wlynch