chore(hooks): add commit-msg hook to enforce Signed-off-by line in commit messages

Although our documentation instructs users to configure their .gitconfig
 with `gpgsign = true` under the [commit] section, we cannot rely solely
on this setting. Users may misconfigure their environment, and
third-party contributors might not follow these instructions.

This commit introduces a commit-msg hook that checks for the presence of
a `Signed-off-by:` line in the commit message. The hook does not verify
the actual presence of a cryptographic signature. It only checks for the
text. We assume the line is auto-generated by git when using the `-s`
flag. A malicious user could bypass this check by manually adding the
line, but our goal is to encourage best practices, not to enforce
cryptographic validation.

Signed-off-by: Gil Levkovich <[email protected]>

Author: glevkovich

.pre-commit-config.yaml

@@ -14,6 +14,11 @@ repos:
         entry: contrib/scripts/conventional-commits
         language: script
         stages: [commit-msg]
+      - id: signed-commit
+        name: Signed Commit Enforcer
+        entry: contrib/scripts/signed-commit
+        language: script
+        stages: [commit-msg]
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.3.0

.pre-commit-hooks.yaml

@@ -1,7 +1,16 @@
+
 - id: conventional-commits
   name: Conventional Commits Minder
   entry: contrib/scripts/conventional-commits
   language: script
   description: Conventional Commits Enforcement at the `git commit` client-side level
   always_run: true
-  stages: [commit-msg]
+  stages: [commit-msg]
+
+- id: signed-commit
+  name: Signed Commit Enforcer
+  entry: contrib/scripts/signed-commit
+  language: script
+  description: Ensures all commits contain a Signed-off-by line
+  always_run: true
+  stages: [commit-msg]

contrib/scripts/signed-commit

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+if [[ -z "$1" ]] || [[ ! -f "$1" ]]; then
+  echo "ERROR: Commit message file not provided or does not exist."
+  exit 1
+fi
+
+if ! grep -q '^Signed-off-by:' "$1"; then
+  echo "ERROR: Commit message must contain a Signed-off-by line."
+  echo ""
+  echo "To sign your commits, use the -s flag:"
+  echo "  git commit -s -m 'your commit message'"
+  exit 1
+fi