Include signed-off-by in commits?

Question

Include signed-off-by in commits?

Closed this issue 8 months ago · 0 comments

Trying this out in sigstore root-signing-staging is currently failing because the commits are not signed off.

Maybe there's no harm done in just adding a --signoff to every single git commit, both in signer and repo code...

That said root-signing has had continuing issues with DCO checks so it is possible they are just a bad idea for repos like this. My assumption is that the issues came from using two things:

squash merges
PRs into PR branches

the combination likely confuses github. So my current assumption is that --signoff by default will work as long as squash merges are not used (I believe they should not be used in a tuf-on-ci repo)