generated from sigstore/sigstore-project-template
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native support for CLA sign-off (starting with DCO) #326
Labels
bug
Something isn't working
Comments
The idea would be to replace integrations like the DCO GitHub App with something like |
🎉 I like it! We've been a bit resistant to recommending gitsign as a replacement for DCO, since cryptographic signing serves a different purpose than the DCO sign-off (i.e. signing something w/ your identity doesn't mean you agree to a CLA), but I like the idea of using an extra scope to signify the DCO consent. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
https://en.m.wikipedia.org/wiki/Developer_Certificate_of_Origin
I believe the typical requirement for DCO commits is the same as committer verification in
gitsign
(i.e. that the identity matches the commit author).I think there are two integration points worth considering:
Signed-off-by
line, enablegitsign.matchCommitter
unless it is explicitly set tofalse
scopes
requested during the OAuth flowPerhaps these scopes could be specified in the form of URNs (ex.
urn:sigstore:gitsign:cla:dco
)? Sigstore can then present the requested CLA(s) to the developer on the OAuth consent screen.TBD how we map the acceptance of requested scopes into the JWTs and ultimately the signing certificate.
The text was updated successfully, but these errors were encountered: