docs: clarify all commits must be signed in signing.md (#459) (#464)

Signed-off-by: Zaki-Mohd <[email protected]>
Signed-off-by: exploreriii <[email protected]>
Co-authored-by: exploreriii <[email protected]>

Author: Zaki-Mohd

CHANGELOG.md

@@ -79,6 +79,10 @@ This changelog is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.
 - Added checksum validation for TokenId
 - Refactor examples/token_cancel_airdrop
 - Refactor token creation examples for modularity and consistency
+- Updated `signing.md` to clarify commit signing requirements, including DCO, GPG, and branch-specific guidelines (#459)
+
+### Changed
+
 - Rearranged running_examples.md to be alphabetical
 - Refactor token_associate.py for better structure, add association verification query (#367)
 - Refactored `examples/account_create.py` to improve modularity and readability (#363)

docs/sdk_developers/signing.md

@@ -2,14 +2,14 @@
 
 To contribute to this repository, **both DCO sign-off and GPG signature verification** are required for your commits to be merged successfully.
 
-This guide walks you through how to correctly configure and sign your commits.
+This guide walks you through how to correctly configure and sign your commits, and how to ensure **all commits are properly signed**.
 
 ---
 
 ## 🛡️ Why Commit Signing?
 
-- **DCO (`Signed-off-by`)** ensures you agree to the developer certificate of origin.
-- **GPG Signature** proves the commit was authored by a trusted and verified identity.
+* **DCO (`Signed-off-by`)** ensures you agree to the developer certificate of origin.
+* **GPG Signature** proves the commit was authored by a trusted and verified identity.
 
 ---
 
@@ -25,22 +25,21 @@ gpg --full-generate-key
 
 Choose:
 
-Kind: RSA and RSA
-
-Key size: 4096
-
-Expiration: 0 (or choose as per your need)
-
-Name, Email: Must match your GitHub email
-
-Passphrase: Set a strong passphrase 
+* Kind: RSA and RSA
+* Key size: 4096
+* Expiration: 0 (or choose as per your need)
+* Name, Email: Must match your GitHub email
+* Passphrase: Set a strong passphrase
 
 To list your keys:
 
 ```bash
-gpg --list-secret-keys --keyid-format LONG 
+gpg --list-secret-keys --keyid-format LONG
 ```
-Copy the key ID (it looks like 34AA6DBC)
+
+Copy the key ID (looks like `34AA6DBC`).
+
+---
 
 ### 2. Add Your GPG Key to GitHub
 
@@ -49,35 +48,69 @@ Export your GPG public key:
 ```bash
 gpg --armor --export YOUR_KEY_ID
 ```
-Paste the output into GitHub here:
 
+Paste the output into GitHub:
+
+* [Add GPG key on Github](https://github.com/settings/gpg/new)
 
-- [Add GPG key on Github ](https://github.com/settings/gpg/new)
+---
 
-### 3. Tell Git to Use Your GPG Key
+### 3. Configure Git to Use Your GPG Key
 
 ```bash
 git config --global user.signingkey YOUR_KEY_ID
 git config --global commit.gpgsign true
 ```
 
-### 4. Make a Signed Commit
+---
+
+## ✨ Make Signed Commits
 
-Use both DCO sign-off and GPG signing:
+**All commits must be signed using both DCO and GPG.**
 
 ```bash
 git commit -S -s -m "chore: your commit message"
 ```
 
--S = GPG sign
--s = DCO sign-off
+* `-S` = GPG sign
+* `-s` = DCO sign-off
+
+> ⚠️ Ensure **every commit** in your branch follows this rule.
 
-### Fixing an Unsigned Commit
+---
+
+## 🛠️ Fixing Unsigned Commits
+
+If you accidentally forgot to sign commits, there are **two ways to fix them**:
+
+### 1. Soft Reverting Commits (Recommended for New Contributors)
+
+Soft revert the impacted commits while keeping changes locally:
+
+```bash
+git reset --soft HEAD~n
+```
+
+* `HEADn` = number of commits to go back
+* Example: To fix the last 3 commits: `git reset --soft HEAD`
 
-If you forgot to sign or DCO a commit:
+Then, recommit each commit with proper signing:
+
+```bash
+git commit -S -s -m "chore: your commit message"
+```
+
+Repeat for each impacted commit.
+
+---
+
+### 2. Retroactively Signing Commits
+
+Alternatively, you can **amend commits retroactively**:
 
 ```bash
 git commit --amend -S -s
+git rebase -i HEAD~n  # For multiple commits
 git push --force-with-lease
 ```
 ## Rebasing and Signing
@@ -91,16 +124,39 @@ When rebasing, you must use this command to ensure your commits remain verified:
 git rebase main -S
 ```
 
+> **Note:** `--force-with-lease` safely updates the remote branch without overwriting others’ changes.
+
+---
+
+## ✅ Verify Signed Status of Commits
+
+To check that your commits are signed correctly:
+
+```bash
+git log --show-signature
+```
+
+* Ensure each commit shows both **GPG verified** and **DCO signed-off**.
+* For a quick check of recent commits:
+
+```bash
+git log -n 5 --pretty=format:'%h %an %G? %s'
+```
+
+* `G?` column shows the signature status (`G` = good, `B` = bad, `U` = unsigned)
+
+---
+
 ## ✅ Final Checklist
 
-- [ ] Signed your commit with `-S`
-- [ ] Added DCO with `-s`
-- [ ] GPG key is added to GitHub
-- [ ] Verified badge appears in PR
+* [ ] All commits signed with `-S`
+* [ ] DCO added with `-s`
+* [ ] GPG key added to GitHub
+* [ ] Verified badge appears in PR
 
+---
 
 ### Still Need Help?
 
-If you run into issues:
-
-- Refer to [GitHub’s GPG Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification)
+* Refer to [GitHub’s GPG Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification)
+* Ask maintainers on the **Hiero Discord** if stuck