The DCO is a per-commit sign-off made by a contributor stating that they agree to the terms published at https://developercertificate.org/ for that particular contribution.

When creating a commit with the Git CLI, a sign-off can be added with the -s option: https://git-scm.com/docs/git-commit#git-commit--s. The sign-off is stored as part of the commit message itself, as a line of the format:

Signed-off-by: Full Name <email>

DCO sign-offs differ from contributor agreements:

• Contributor agreements are typically made once, covering for all future contributions.
• A contributor agreement may be signed by a third party, like a company, on behalf of its employees, whereas the DCO is always an attestation by the author of the contribution.

All Linux Foundation projects MUST incorporate a mandatory mechanism to enforce the DCO on all contributions.

In the contribution guidelines for each project (e.g. a CONTRIBUTING.md file) the project SHOULD make explicit that the DCO is required, and that commit sign-offs of the form Signed-off-by: are attestations according to https://developercertificate.org/.

Log in as user with Owner rights to a GitHub organization. Browse to the URL https://github.com/apps/dco and hit the “Install” (or “Configure”) button. Select the organization to install it to. Select “All repositories”.

Browse to the settings for each repository in that organization. Choose “Branches” from the menu. If “master” does not show up under Protected Branches, select it from the “Choose a branch” drop-down. Enable “Protect this branch”, “Require status checks to pass before merging” (and check the “DCO” status check if it is available). Repeat for the remaining repositories.

To complete the configuration, you should return to the master branch protection screen—on each repository—to check “DCO” after this status check has been seen by GitHub.

TBD

The project.config file must have the following configuration set, or inherited from a parent repository:

[receive]
    requireSignedOffBy = true