| id | DEV-310 |
|---|---|
| title | Sign Every Commit |
| status | active |
| enforcement | automated |
| severity | error |
An unsigned commit cannot be verified as authored by the contributor. A PR carrying unsigned commits fails the requirements and cannot be trusted for attribution.
Sign every commit. Signing with an SSH key is recommended; ensure your Git version supports SSH signature verification (Git 2.34 or later).
- Every commit in the PR is signed
- Each commit shows as verified on GitHub