Include signed-off-by in commits?
Closed this issue · 0 comments
jku commented
Trying this out in sigstore root-signing-staging is currently failing because the commits are not signed off.
Maybe there's no harm done in just adding a --signoff
to every single git commit
, both in signer and repo code...
That said root-signing has had continuing issues with DCO checks so it is possible they are just a bad idea for repos like this. My assumption is that the issues came from using two things:
- squash merges
- PRs into PR branches
the combination likely confuses github. So my current assumption is that --signoff by default will work as long as squash merges are not used (I believe they should not be used in a tuf-on-ci repo)