Native support for CLA sign-off (starting with DCO)

[marshall007]

Description

https://en.m.wikipedia.org/wiki/Developer_Certificate_of_Origin

I believe the typical requirement for DCO commits is the same as committer verification in gitsign (i.e. that the identity matches the commit author).

I think there are two integration points worth considering:

1. when a commit message contains a Signed-off-by line, enable gitsign.matchCommitter unless it is explicitly set to false
2. add support for specifying well-known CLAs in the form of extra scopes requested during the OAuth flow

Perhaps these scopes could be specified in the form of URNs (ex. urn:sigstore:gitsign:cla:dco)? Sigstore can then present the requested CLA(s) to the developer on the OAuth consent screen.

TBD how we map the acceptance of requested scopes into the JWTs and ultimately the signing certificate.

[marshall007]

The idea would be to replace integrations like the DCO GitHub App with something like gitsign verify ... --cla dco.

[wlynch]

🎉 I like it!

We've been a bit resistant to recommending gitsign as a replacement for DCO, since cryptographic signing serves a different purpose than the DCO sign-off (i.e. signing something w/ your identity doesn't mean you agree to a CLA), but I like the idea of using an extra scope to signify the DCO consent.