Skip to main content

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange
Asked
Modified today
Viewed 2k times
11

Git is a source code version control system, and it has a feature where you can attach a message to the code that you write saying Signed-off-by: Author Name <[email protected]>. (This is in addition to Author: ... which is always present.)

To me it isn't obvious what this means. What exactly are you signing off? I'm not the only one. According to an answer there

It was introduced in the wake of the SCO lawsuit, (and other accusations of copyright infringement from SCO, most of which they never actually took to court), as a Developers Certificate of Origin. It is used to say that you certify that you have created the patch in question, or that you certify that to the best of your knowledge, it was created under an appropriate open-source license, or that it has been provided to you by someone else under those terms. This can help establish a chain of people who take responsibility for the copyright status of the code in question, to help ensure that copyrighted code not released under an appropriate free software (open source) license is not included in the kernel.

The problem is, "Signed-off-by" doesn't say "I certify that I write this code". It doesn't even refer to the DCO which actually does say that.

Furthermore some projects have an automated check for this line and give you this message if it is missing.

There is one commit incorrectly signed off. This means that the author of this commit failed to include a Signed-off-by line in the commit message.

To avoid having PRs blocked in the future, always include Signed-off-by: Author Name <[email protected]> in every commit message. You can also do this automatically by using the -s flag (i.e., git commit -s).

It explains in slightly more detail further down but the first lines are basically "you forgot this line, this error will go away if you add it", so many people will just do that, without understanding what they are "signing off".

Given that it's not clear what "signed-off-by" means, and people are encouraged to just add that line without understanding it, wouldn't that make this legally pointless?

1
  • 1
    In case it's not clear from answers, the git field is not intended to have any legal meaning; it's presumably for workflow/management/etc. purposes.  Any legal meaning would be subordinate to that.
    gidds
    –  gidds
    2025-10-14 15:32:38 +00:00
    Commented 3 hours ago

2 Answers 2

11

The existence of such a "sign-off" in a git history may have minimal legal significance, but it is not zero. It is evidence of a fact in the world. For example, it is evidence (perhaps weak evidence, depending on the circumstances) that the signer signed at a particular time. You're correct that its further legal significance is not obvious. What such a sign off meant to the signer or to the project will depend on surrounding circumstances. It may also merely be helpful at an investigatory stage where one party is trying to identify who the relevant witnesses even are.

Consider the following hypothetical cross-examination:

  • lawyer: you're Avery?
  • witness: yes
  • lawyer: and you contributed to project X?
  • witness: sometimes
  • lawyer: you have an email address [email protected]?
  • witness: yes
  • lawyer: and you reviewed feature Y?
  • witness: I don't remember; I review a lot of things and that was a long time ago
  • lawyer: [bringing a view of the git history up on a screen] do you recognize this?
  • witness: not this material specifically, but I know this is a git history
  • lawyer: this shows the history of commits to project X, right?
  • witness: looks like it, but I can't say if it's accurate
  • lawyer: let's looks at line 20, what does it say?
  • witness: signed off by Avery, [email protected]
  • lawyer: and in the ordinary course, this would only be here if you reviewed this commit?
  • witness: yes

Perhaps at issue is when or even if Avery became aware of a certain feature. This could be relevant in a variety of issues: e.g. trade secret violations, copyright infringment (did Avery have access to material they are alleged to have copied), etc.

Perhaps at issue is whether Avery signed off on this commit. This could be relevant if Avery had a contractual obligation to the operator of project X to not sign off unless they were representing that the commit only includes open-source material, and indemnifying project X in the case that they've erred (to be clear, this would be a wild obligation to take on).

Of course, for many issues, showing whether Avery signed merely as an author would provide the relevant information, but not always (e.g. in the indemnification example above; or where Avery isn't the author but the issue is whether Avery saw the material).

3
  • How does that conversation differ from the one where they just were the committer, instead of filling some extra "signed-off-by" field? Or the person creating the Pull Request into the main branch? Nothing in git is somehow "anonymous" where nobody knows who did it. What meaning has the field legally in contrast to just the other fields that already tell you who did it?
    nvoigt
    –  nvoigt
    2025-10-13 18:03:59 +00:00
    Commented yesterday
  • 2
    @nvoigt this answer does not say that this field has any particular legal meaning — it may very well not convey more or different information than another field — its evidential relevance will depend on the issues in litigation.
    Jen
    –  Jen
    2025-10-13 18:33:53 +00:00
    Commented yesterday
  • 3
    @nvoigt Two potential reasons are that the person that signs off that something is legally valid is different than the committer (e.g. a manager), and that sometimes when commits are moved around branches the author changes. I'm still doubtful about how practically useful this actually is though.
    IllusiveBrian
    –  IllusiveBrian
    2025-10-14 01:49:41 +00:00
    Commented 17 hours ago
0

I'm not a lawyer, but my perspective is this one: git requests to set an identity to work at all by answers to git config user.name and git config user.email. This is to attribute commits and tags to their corresponding authors. Or (by git commit -s, that is lower case s) to provide the DCO of signed-off-by: Author Name <[email protected]> as an indicator to others stating that "[Author Name] agree[s] to the terms published at https://developercertificate.org/ for that particular contribution." (reference Linux Foundation).

However git doesn't check if user.name set to Linus Thorvalds is true. Anyone can set up an instance with this parameter set this way. In reference to the dialog of @Jen's answer, a stronger evidence that a commit or tag is yours is signing these either with a GPG, or ssh key by git commit -S -m "my commit message" (that is capital S) or git tag -s my_tag -m "my tag message" (that is lower case s). Later, authenticity against the key used can be checked for instance by git log -1 --show-signature about the last commit.

Hosts like GitHub, GitLab, codeberg, etc. allow to upload the corresponding (public) keys to then check commits accordingly. In case of a match, they display an additional tag, for instance a green verified, next to the abbreviated commit hash on GitHub:

GitHub verified icon on the example of an Avogadro2 repository

(example of a repository of the Avogadro2 project)

The public key of the GPG key pair (consider to set an expiration date, don't forget to define a revocation certificate) anyway is to be shared with colleagues, key servers, etc., too.


  • example how to instruct git to use a GPG, presuming you already have a key pair

    git config --global user.signingkey <GPG KEY ID>
    git config --global commit.gpgsign true
    
  • example how to instruct git (version 2.34, and later) to use a ssh key (think ssh-keygen):

    git config --global gpg.format ssh
    git config --global user.signingkey <absolute/path/to/the/public/ssh_key>
    git config --global commit.gpgsign true
    

    In an instance of Linux, step 2) could point e.g., to ~/.ssh/id_ed25519.pub.

In both examples, the optional --global commit.gpgsign true removes the need for you to think about (and type) the extra -S. Of course you can protect the keys with a passphrase or/and store them separately/detachable from the computer.

3
  • The real Linus Torvalds wouldn't misspell his own name, of course!
    Toby Speight
    –  Toby Speight
    2025-10-14 11:42:07 +00:00
    Commented 7 hours ago
  • 2
    While probably correct and technically interesting for me personally, what does that mean in connection to the question? Which laws are involved?
    nvoigt
    –  nvoigt
    2025-10-14 11:43:01 +00:00
    Commented 7 hours ago
  • @TobySpeight I'm definitely outside my wheelhouse, but it sounds like we're saying that this is evidence -- though not conclusive evidence -- of the identity of the person publishing the code. Analogize to a defamatory email: if my name is signed at the bottom of the email, that's some evidence that I wrote it, even though it's not at all conclusive proof that I wrote it.
    bdb484
    –  bdb484
    2025-10-14 13:10:31 +00:00
    Commented 6 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Morty Proxy This is a proxified and sanitized view of the page, visit original site.