Add CI job to verify all Rust files have license headers

.github/workflows/ValidatePullRequest.yml

@@ -67,6 +67,14 @@ jobs:
     - name: Spell Check Repo
       uses: crate-ci/[email protected]
 
+  license-headers:
+    name: check license headers
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Check License Headers
+      run: ./dev/check-license-headers.sh
+
   # Gate PR merges on this specific "join-job" which requires all other
   # jobs to run first. We need this job since we cannot gate on particular jobs
   # in the workflow, since they can sometimes be skipped (e.g. if the PR only touches docs).
@@ -77,6 +85,7 @@ jobs:
       - rust
       - fuzzing
       - spelling
+      - license-headers
     if: always()
     runs-on: ubuntu-latest
     steps:

.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "default": true,
+  "MD013": false
+}

CONTRIBUTING.md

@@ -4,7 +4,7 @@ This project welcomes contributions. Most contributions require you to signoff o
 the Developer Certificate of Origin (DCO). When you submit a pull request, a DCO-bot will automatically determine
 whether you need to provide signoff for your commit. Please follow the instructions provided by DCO-bot, as pull
 requests cannot be merged until the author(s) have provided signoff to fulfill the DCO requirement.
-You may find more information on the DCO requirements [below](#developer-certificate-of-origin-signing-your-work).
+You may find more information on the DCO requirements [below](#developer-certificate-of-origin-and-gpg-signing).
 
 ## Issues
 
@@ -31,20 +31,28 @@ All contributions come through pull requests. To submit a proposed change, we re
     - Code changes require tests
     - Make sure to run the linters to check and format the code
 4. Update relevant documentation for the change
-5. Commit with [DCO sign-off](#developer-certificate-of-origin-signing-your-work) and open a PR
+5. Commit with [DCO sign-off](#developer-certificate-of-origin-and-gpg-signing) and open a PR
 6. Wait for the CI process to finish and make sure all checks are green
 7. A maintainer of the project will be assigned, and you can expect a review within a few days
 
 #### Use work-in-progress PRs for early feedback
 
 A good way to communicate before investing too much time is to create a "Work-in-progress" PR and share it with your reviewers. The standard way of doing this is to add a "[WIP]" prefix in your PR's title and open the pull request as a draft.
 
-### Developer Certificate of Origin: Signing your work
+### Developer Certificate of Origin and GPG Signing
 
 #### Every commit needs to be signed
 
+This project requires two types of signatures on all commits:
+
+1. **Developer Certificate of Origin (DCO) Sign-off**: A text attestation that you have the right to submit the code
+2. **GPG Signature**: A cryptographic signature verifying your identity
+
+**For DCO Sign-offs:**
+
 The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the [DCO](https://developercertificate.org/), reformatted for readability:
-```
+
+```text
 By making a contribution to this project, I certify that:
 
     (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
@@ -70,19 +78,56 @@ Git even has a `-s` command line option to append this automatically to your com
 git commit -s -m 'This is my commit message'
 ```
 
-Each Pull Request is checked  whether or not commits in a Pull Request do contain a valid Signed-off-by line.
+**For GPG Signatures:**
+
+GPG signatures verify the identity of the committer. To set up GPG signing:
+
+1. Generate a GPG key and configure Git to use it:
+
+   ```sh
+   git config --global user.signingkey YOUR_KEY_ID
+   git config --global commit.gpgsign true
+   ```
+
+2. Sign commits with the `-S` flag (or rely on the automatic signing from the above configuration):
 
-#### I didn't sign my commit, now what?!
+   ```sh
+   git commit -S -m 'This is my signed commit message'
+   ```
+
+3. For both DCO sign-off and GPG signature in one command:
+
+   ```sh
+   git commit -S -s -m 'This is my signed and signed-off commit message'
+   ```
+
+For detailed instructions on setting up both signature types, see [docs/commit-signing.md](./docs/commit-signing.md).
+
+Each Pull Request is checked to ensure all commits contain valid DCO sign-offs and GPG signatures.
+
+#### I didn't sign my commit, now what?
 
 No worries - You can easily replay your changes, sign them and force push them!
 
+**For adding both DCO sign-off and GPG signature:**
+
 ```sh
 git checkout <branch-name>
-git commit --amend --no-edit --signoff
+git commit --amend --no-edit -S -s
 git push --force-with-lease <remote-name> <branch-name>
 ```
 
-*Credit: This doc was cribbed from Dapr.*
+**For fixing multiple commits:**
+
+```sh
+git rebase -i HEAD~n  # Replace n with the number of commits to fix
+# Change 'pick' to 'edit' for each commit
+# For each commit:
+git commit --amend --no-edit -S -s
+git rebase --continue
+```
+
+For more detailed instructions on fixing commits, see [docs/commit-signing.md](./docs/commit-signing.md).
 
 ### Rust Analyzer
 

Justfile

@@ -131,6 +131,9 @@ fmt-check:
     cargo +nightly fmt --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml -- --check
     cargo +nightly fmt --manifest-path src/hyperlight_guest_capi/Cargo.toml -- --check
 
+check-license-headers:
+    ./dev/check-license-headers.sh
+
 fmt-apply:
     cargo +nightly fmt --all
     cargo +nightly fmt --manifest-path src/tests/rust_guests/callbackguest/Cargo.toml

README.md

@@ -276,3 +276,12 @@ See the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code
 [kvm]: https://help.ubuntu.com/community/KVM/Installation
 
 [whp]: https://devblogs.microsoft.com/visualstudio/hyper-v-android-emulator-support/#1-enable-hyper-v-and-the-windows-hypervisor-platform
+
+## Development
+
+All commits to this repository require:
+
+1. **GPG Verified Signatures**: Each commit must be cryptographically signed using GPG to verify the committer's identity.
+2. **DCO Sign-offs**: Each commit must include a Developer Certificate of Origin sign-off line.
+
+For details on configuring both requirements, see [docs/commit-signing.md](./docs/commit-signing.md) and the [CONTRIBUTING.md](./CONTRIBUTING.md#developer-certificate-of-origin-signing-your-work) file.

dev/check-license-headers.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# This script checks for the presence of the required license header in Rust source files.
+
+# Get the repository root
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd "$REPO_ROOT" || exit 1
+
+# Define the license header pattern to look for
+LICENSE_PATTERN="Copyright .* The Hyperlight Authors..*Licensed under the Apache License, Version 2.0"
+
+# Define the full license header for files that need it
+LICENSE_HEADER='/*
+Copyright 2024 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+'
+
+# Initialize a variable to track missing headers
+MISSING_HEADERS=0
+MISSING_FILES=""
+
+# Find all Rust files, excluding target directory
+while IFS= read -r file; do
+    # Skip auto-generated files
+    if grep -q "@generated" "$file" || grep -q "Automatically generated" "$file"; then
+        continue
+    fi
+
+    # Check if the file has the license header (allowing for multi-line matching)
+    if ! grep -q -z "$LICENSE_PATTERN" "$file"; then
+        echo "Missing or invalid license header in $file"
+        MISSING_FILES="$MISSING_FILES\n  $file"
+        MISSING_HEADERS=$((MISSING_HEADERS + 1))
+    fi
+done < <(find src -name "*.rs" -type f)
+
+if [ $MISSING_HEADERS -gt 0 ]; then
+    echo "Found $MISSING_HEADERS files with missing or invalid license headers:"
+    echo -e "$MISSING_FILES"
+    echo ""
+    echo "Please add the following license header to these files:"
+    echo "$LICENSE_HEADER"
+    echo "You can also run: just check-license-headers to verify your changes."
+    exit 1
+else
+    echo "All Rust files have the required license header"
+    exit 0
+fi

docs/commit-signing.md

@@ -0,0 +1,164 @@
+# Commit Signing Requirements
+
+This document explains how to ensure your commits comply with both the Developer Certificate of Origin (DCO) requirements and GPG signing requirements for this project.
+
+## What is the DCO?
+
+The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. See the full text in the [CONTRIBUTING.md](../CONTRIBUTING.md#developer-certificate-of-origin-signing-your-work) file.
+
+## Two Required Signature Types
+
+All commits to this repository must have two types of signatures:
+
+1. **DCO Sign-off**: A `Signed-off-by` line in the commit message
+2. **GPG Signature**: A cryptographic signature verifying the committer's identity
+
+## Adding DCO Sign-offs to Commits
+
+All commits must include a `Signed-off-by` line in the commit message. This line certifies that you have the right to submit your contribution under the project's license.
+
+### Using the -s Flag
+
+The simplest way to add a sign-off to your commits is to use the `-s` flag with the `git commit` command:
+
+```sh
+git commit -s -m "Your commit message"
+```
+
+This will automatically add a `Signed-off-by` line with your name and email to the commit message.
+
+### Configuring Git for Automatic Sign-offs
+
+You can configure Git to automatically add sign-offs to all your commits:
+
+```sh
+git config --global commit.signoff true
+```
+
+Alternatively, you can create a Git alias for creating signed-off commits:
+
+```sh
+git config --global alias.cs 'commit -s'
+```
+
+Then use `git cs` instead of `git commit` to create commits with sign-offs.
+
+## GPG Signing Your Commits
+
+In addition to DCO sign-offs, all commits must be GPG signed to verify your identity.
+
+### Setting Up GPG
+
+1. If you don't have a GPG key, generate one:
+
+   ```sh
+   gpg --full-generate-key
+   ```
+
+   Choose RSA and RSA, 4096 bits, and an expiration date of your preference.
+
+2. List your keys to get the ID:
+
+   ```sh
+   gpg --list-secret-keys --keyid-format=long
+   ```
+
+   Look for the line starting with "sec" and note the key ID after the "/".
+
+3. Configure Git to use your GPG key:
+
+   ```sh
+   git config --global user.signingkey YOUR_KEY_ID
+   ```
+
+   Replace YOUR_KEY_ID with your actual GPG key ID.
+
+4. Configure Git to sign commits automatically:
+
+   ```sh
+   git config --global commit.gpgsign true
+   ```
+
+### Creating GPG Signed Commits
+
+With automatic signing enabled, normal commit commands will create signed commits. You can also explicitly sign with:
+
+```sh
+git commit -S -m "Your commit message"
+```
+
+To create a commit with both GPG signature and DCO sign-off:
+
+```sh
+git commit -S -s -m "Your commit message"
+```
+
+### Adding Your GPG Key to GitHub
+
+1. Export your public key:
+
+   ```sh
+   gpg --armor --export YOUR_KEY_ID
+   ```
+
+2. Copy the output and add it to your GitHub account under Settings > SSH and GPG keys.
+
+## Adding Both Signatures to Existing Commits
+
+If you forgot to sign your commits, you can fix them:
+
+### For the Last Commit
+
+```sh
+git commit --amend --no-edit -S -s
+```
+
+### For Multiple Commits
+
+For adding both DCO sign-offs and GPG signatures to a range of commits, use interactive rebase:
+
+1. Start the rebase:
+
+   ```sh
+   git rebase -i HEAD~n
+   ```
+
+   Replace `n` with the number of commits you want to sign.
+
+2. In the editor, change `pick` to `edit` for each commit.
+
+3. For each commit that opens during the rebase:
+
+   ```sh
+   git commit --amend --no-edit -S -s
+   git rebase --continue
+   ```
+
+Alternatively, for adding just DCO sign-offs to multiple commits:
+
+```sh
+git rebase --signoff HEAD~n
+```
+
+## Verification
+
+The project uses automated checks to verify that all commits include both the required DCO sign-off and GPG signature. If you receive a signature verification failure notification, please follow the instructions above to add the required signatures.
+
+## Troubleshooting
+
+### GPG Signing Issues
+
+If you encounter issues with GPG signing:
+
+- Ensure your GPG key is properly generated and configured with Git
+- Set the `GPG_TTY` environment variable: `export GPG_TTY=$(tty)`
+- For Git GUI tools, you may need to configure GPG agent
+- On Windows, you might need to specify the full path to gpg.exe
+
+### DCO Sign-off Issues
+
+If you encounter issues with DCO sign-offs:
+
+- Ensure your Git user name and email are correctly configured
+- Check that the commit author email matches your configured email
+- For commits created through GitHub's web interface, you'll need to add the sign-off manually in the commit message