chore(hooks): add commit-msg hook to enforce Signed-off-by and GPG signature

This commit introduces a commit-msg hook that enforces two
requirements for all commits:

- The commit message must contain a `Signed-off-by:` line (added with
  the `-s` flag).
- The commit must be cryptographically signed with GPG (using the `-S`
  flag or global config).

The hook dynamically imports the public key used to sign the latest
commit, ensuring verification works for any user and key.

This change improves the integrity and traceability of our commit
history.

Signed-off-by: Gil Levkovich <[email protected]>

Author: glevkovich

.pre-commit-config.yaml

@@ -14,6 +14,11 @@ repos:
         entry: contrib/scripts/conventional-commits
         language: script
         stages: [commit-msg]
+      - id: signed-commit
+        name: Signed Commit Enforcer
+        entry: contrib/scripts/signed-commit
+        language: script
+        stages: [commit-msg]
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.3.0

.pre-commit-hooks.yaml

@@ -1,7 +1,16 @@
+
 - id: conventional-commits
   name: Conventional Commits Minder
   entry: contrib/scripts/conventional-commits
   language: script
   description: Conventional Commits Enforcement at the `git commit` client-side level
   always_run: true
-  stages: [commit-msg]
+  stages: [commit-msg]
+
+- id: signed-commit
+  name: Signed Commit Enforcer
+  entry: contrib/scripts/signed-commit
+  language: script
+  description: Ensures all commits contain a Signed-off-by line
+  always_run: true
+  stages: [commit-msg]

contrib/scripts/signed-commit

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Dynamically import the public key used to sign the latest commit
+commit_hash=$(git rev-parse HEAD)
+key_id=$(git log --show-signature -1 "$commit_hash" 2>&1 | grep 'using RSA key' | awk '{print $NF}')
+
+if [[ -z "$key_id" ]]; then
+  echo "ERROR: Could not extract GPG key ID from commit signature."
+  exit 1
+fi
+
+if ! gpg --list-keys "$key_id" > /dev/null 2>&1; then
+  gpg --keyserver hkps://keyserver.ubuntu.com --recv-key "$key_id"
+fi
+
+if [[ -z "$1" ]] || [[ ! -f "$1" ]]; then
+  echo "ERROR: Commit message file not provided or does not exist."
+  exit 1
+fi
+
+# check if signed-off-by line is present (automatically added using -s flag)
+if ! grep -q '^Signed-off-by:' "$1"; then
+  echo "ERROR: Commit message must contain a Signed-off-by line."
+  echo ""
+  echo "To sign your commits, use the -s flag:"
+  echo "  git commit -s 'your commit message'"
+  exit 1
+fi
+
+# check if the commit is cryptographically signed using GPG (using -S flag)
+if ! git log --show-signature -1 "${commit_hash}" | grep -q "gpg: Signature made"; then
+    echo "ERROR: Commit is not cryptographically signed with GPG."
+    echo ""
+    echo "To sign your commits with GPG, use the -S flag:"
+    echo "  git commit -S -s 'your commit message'"
+    echo 'or set gpgsign = true in your .gitconfig:'
+    echo '  git config --global commit.gpgsign true'
+    echo "and then:"
+    echo "  git commit -s 'your commit message'"
+    exit 1
+fi