716

What's the point of the Sign Off feature in Git?

git commit --signoff

When should I use it, if at all?

BinaryButterfly
  • 18,137
  • 13
  • 50
  • 91
Clark Gaebel
  • 17,280
  • 20
  • 66
  • 93

4 Answers4

663

Sign-off is a requirement for getting patches into the Linux kernel and a few other projects, but most projects don't actually use it.

It was introduced in the wake of the SCO lawsuit, (and other accusations of copyright infringement from SCO, most of which they never actually took to court), as a Developers Certificate of Origin. It is used to say that you certify that you have created the patch in question, or that you certify that to the best of your knowledge, it was created under an appropriate open-source license, or that it has been provided to you by someone else under those terms. This can help establish a chain of people who take responsibility for the copyright status of the code in question, to help ensure that copyrighted code not released under an appropriate free software (open source) license is not included in the kernel.

Brian Campbell
  • 322,767
  • 57
  • 360
  • 340
  • 117
    It should be noted that the described meaning is the one assigned to the `Signed-off-by:` commit message lines by the Linux kernel project (and the Git project itself). For other projects, however, such lines are meaningless unless the project assigns meaning to them (e.g. by describing them in the project's documentation; e.g. Linux’s [SubmittingPatches](http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/SubmittingPatches;hb=HEAD) or Git’s [SubmittingPatches](http://git.kernel.org/?p=git/git.git;a=blob;f=Documentation/SubmittingPatches;hb=HEAD)). – Chris Johnsen Jul 06 '10 at 22:40
  • 60
    So why did this need to be done in the commit message? I thought that commits had an author attached to them, and they were part of the SHA1 hash? – Leif Andersen Dec 31 '10 at 17:02
  • 40
    @Leif Mere authorship information is not sufficient. I might have written a patch, but if I based it on some code from Unix, I wouldn't have permission to release it under the GPL (at least without signoff from someone higher up). Or, a patch may make it between several different maintainers before winding up in the kernel tree; the signoff indicates the chain of custody. Read the certificate of origin that I linked to; that's what it means when you add a signoff line. The "Author" header may be inaccurate, and doesn't necessarily imply agreement with everything in the certificate of origin. – Brian Campbell Dec 31 '10 at 21:43
  • 85
    Without PGP key, how can it be established that the sign-off is genuine? – HRJ Dec 03 '12 at 07:35
  • 1
    Eclipse Foundation Contributor’s Certificate of Origin also uses the signed-off feature for signing. – koppor May 27 '13 at 16:17
  • 12
    @HRJ The genuineness of a signed-off is actually on you (commiter). Not on author, neither on the signed off himself. If later someone (mainly the signed off) dispute its not valid, you better have with you a email or something that proves he agreed to it. Commiter may say he did not commit such blob IF the blob is not GPG signed (IMHO a weak defense, but...). In this case, the commiter can use -S to close the circle. Now with -S and -s you have a chain of custody based on the commiter's word, that the code written by some author is authorized to be used by some signed-off higher up. – DrBeco Nov 09 '14 at 15:08
  • 2
    @BrianCampbell Authorship should be more than sufficient, I still don't understand. Patches applied through `am` (created through `format-patch`) carry the correct author with it, and that author is applied when the patch is applied. For patches applied from `git diff` output (which has no commit metadata with it), sign-off isn't going to help anyway since the commit message is not bundled with the udiff. – void.pointer Jul 19 '15 at 16:23
  • 3
    @void.pointer Authorship is not sufficient. If I am working for a company, and I author a patch, the copyright for that patch belongs to the company. I do not have permission to publish that patch under the terms of the GPL without appropriate management approval. So, if I write a patch and send it to the LKML, the authorship information will be correct, but no one has actually attested that there is actually a legal basis for distributing that patch under the GPL. The fact that it's possible to strip off that information makes no difference. – Brian Campbell Jul 20 '15 at 14:45
  • 4
    @BrianCampbell If its owned by Company, the sign-off is still my name and email (domain may be registered by Company). The sign-off, being part of the commit message, is no more secure than the author field. It can still be stripped. The sign-off communicates nothing additional compared to the author field. Maybe if you can explain what the sign-off has that author doesn't, that would make it feel a little less redundant. – void.pointer Jul 20 '15 at 15:21
  • 4
    @void.pointer It is not redundant because the the sign-off _does_ communicate something more than the author field. The sign-off means (simplified) “I certify the code in this commit can be published under the term of the license of the project.” The author field means “I did this;” it does _not_ mean “this” can be published… To say it in another way, when signing off, you take full responsibility for this commit that it can be distributed legally. It is not a question of security. If you want to secure the commits, sign them. – Frizlab Oct 04 '15 at 23:31
  • 6
    @Frizlab I still don't buy it. Having the same information in there twice doesn't effectively communicate that you give permission to publish the patch. The fact that you *handed it over to someone* in the first place gives that permission. Plus, who's to say someone doesn't go in and just edit the commit message to add that in there for you? It still remains as a silly gesture enforced by the OSS community. – void.pointer Oct 04 '15 at 23:35
  • 3
    @void.pointer Commits where sign-off matters usually have to be signed. A signed commit cannot be altered without the private key. The signed-off still adds some informations. It's not because you’ve committed something, that you did it. You can copy-paste some code from anywhere, then commit. If the pasted code was not allowed to be used and there’s an investigation, who’s to blame? The one who signed-off the commit; NOT the one who committed it. That's what it means. Is it useful? I don’t know… – Frizlab Oct 05 '15 at 15:30
  • 4
    Personally I would *never* apply a patch from someone else that *did not* come with commit metadata. That's the old SVN way of applying a patch. Ideal patches in git are created from commits somewhere. The commit's commiter might be me, but the *author* will be them. That's providing effectively the same info as a sign-off. You know to go talk to the *author* if they find out it's not code they own. – void.pointer Oct 05 '15 at 18:26
  • @Frizlab , quoting your statement: "To say it in another way, when signing off, you take full responsibility for this commit that it can be distributed legally." How is 'signed-off' better than *legally* binding commiter agreement, establishing the same and tying it to the fact of commiting itself? Even the word "commit" here is suggesting :) If its sole purpose is to find "the one" whom to blame -- with commiter agreement that would be the author or the commiter, who could have used author's patch unlawfully. So there is no gain at all! – PF4Public Mar 29 '18 at 11:29
  • If the meaning of "signed-off-by" is something that a project must establish, why can't a project just declare that the "commiter" of git commit is signing off? Maybe it's because this could change if someone comes along doing cherry-picking between baselines. The cherry-picker doesn't certify origin; the original committer does. – Kaz Feb 28 '20 at 18:41
  • Current location of the documentation for sign-off in Linux (v6.2): https://github.com/torvalds/linux/blob/v6.2/Documentation/process/submitting-patches.rst#sign-your-work---the-developers-certificate-of-origin – Guildenstern Mar 18 '23 at 11:05
91

Sign-off is a line at the end of the commit message which certifies who is the author of the commit. Its main purpose is to improve tracking of who did what, especially with patches.

Example commit:

Add tests for the payment processor.

Signed-off-by: Humpty Dumpty <humpty.dumpty@example.com>

It should contain the user real name if used for an open-source project.

If branch maintainer need to slightly modify patches in order to merge them, he could ask the submitter to rediff, but it would be counter-productive. He can adjust the code and put his sign-off at the end so the original author still gets credit for the patch.

Add tests for the payment processor.

Signed-off-by: Humpty Dumpty <humpty.dumpty@example.com>

[Project Maintainer: Renamed test methods according to naming convention.]
Signed-off-by: Project Maintainer <project.maintainer@example.com>

Source: http://gerrit.googlecode.com/svn/documentation/2.0/user-signedoffby.html

double-beep
  • 5,031
  • 17
  • 33
  • 41
Andrzej Rehmann
  • 12,360
  • 7
  • 39
  • 38
  • 62
    Isn't that redundant by the `author` field of a git commit? I always thought that's why there was a separate `author` and `committer` field. The author being the patch writer and the committer being the guy who applied and pushed the patch. – Leif Gruenwoldt Aug 30 '14 at 18:38
  • 20
    Does it really *certify* who the author of a commit is? I mean, as much as -S (--gpg-sign) does, because I don't think so. I think anybody could add a "Signed-off-by" line with any name and e-mail, whereas a GPG signature is much more reliable, but maybe I am wrong. – hdl Feb 29 '16 at 10:21
  • 3
    “Sign-off is a line at the end of the commit message which certifies who is the author of the commit. Its main purpose is to improve tracking of who did what, especially with patches.” — That’s almost certainly wrong (specifically the first sentence). As a counter-example, see for example [b2c150d3aa (linked to in VonC’s answer)](https://github.com/git/git/commit/b2c150d3aa82f6583b9aadfecc5f8fa1c74aca09), which has two signed-off-by headers; one by the *author*, and one by the maintainer. This is common practice in the Git and Linux projects. – Guildenstern Dec 15 '16 at 11:50
  • (Continued from previous comment.) To sign-off means that you have authored the commit under certain conditions, *or* that you are passing on something which has been authored by someone who have (stribed to) fulfil the aforementioned condition. So it forms something like a chain-of-certification. – Guildenstern Dec 15 '16 at 11:54
  • Update on the above: it turns out that I missed something in my last reply, and so I underestimated this answer. The author is partially correct about “adjusting the code”, but puts the wrong emphasis on the “sign-off” trailer. The documentation says that you should add a bracketed trailer (as in the example in the answer) which informs about that. So the the sign-off *in conjunction* with that can be used to add small changes by people like the integrator/maintainer. But the sign-off still serves mainly as what I’ve described. – Guildenstern Dec 15 '16 at 12:50
  • @LeifGruenwoldt for most projects I've seen, the committer is understood to be "person who pressed I approve, merge this" and does not indicate that the committer has made changes to the commit. One possible alternative would be to add another commit afterwards where the committer is the author, but this might be unacceptable e.g. if the first commit breaks the build, which would thrash bisections. – Ciro Santilli OurBigBook.com Oct 30 '19 at 13:21
57

TLDR; Typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see http://developercertificate.org/ for more information).

Git 2.7.1 (February 2016) clarifies that in commit b2c150d (05 Jan 2016) by David A. Wheeler (david-a-wheeler).
(Merged by Junio C Hamano -- gitster -- in commit 7aae9ba, 05 Feb 2016)

git commit man page now includes:

-s::
--signoff::

Add Signed-off-by line by the committer at the end of the commit log message.
The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org for more information).

Expand documentation describing --signoff

Modify various document (man page) files to explain in more detail what --signoff means.

This was inspired by "lwn article 'Bottomley: A modest proposal on the DCO'" (Developer Certificate of Origin) where paulj noted:

The issue I have with DCO is that there adding a "-s" argument to git commit doesn't really mean you have even heard of the DCO (the git commit man page makes no mention of the DCO anywhere), never mind actually seen it.

So how can the presence of "signed-off-by" in any way imply the sender is agreeing to and committing to the DCO? Combined with fact I've seen replies on lists to patches without SOBs that say nothing more than "Resend this with signed-off-by so I can commit it".

Extending git's documentation will make it easier to argue that developers understood --signoff when they use it.

Note that this signoff is now (for Git 2.15.x/2.16, Q1 2018) available for git pull as well.

See commit 3a4d2c7 (12 Oct 2017) by W. Trevor King (wking).
(Merged by Junio C Hamano -- gitster -- in commit fb4cd88, 06 Nov 2017)

pull: pass --signoff/--no-signoff to "git merge"

merge can take --signoff, but without pull passing --signoff down, it is inconvenient to use; allow 'pull' to take the option and pass it through.

With Git 2.33 (Q3 2021), the SubmitingPatches document further (re)illustrate the intent behind signoff: DCO (prefered to CLAs for open-source projects).

See commit f003a91, commit 4523dc8 (22 Jul 2021) by Ævar Arnfjörð Bjarmason (avar).
(Merged by Junio C Hamano -- gitster -- in commit 58705b4, 04 Aug 2021)

SubmittingPatches: move discussion of Signed-off-by above "send"

Signed-off-by: Ævar Arnfjörð Bjarmason

Move the section discussing the addition of a SOB trailer above the section that discusses generating the patch itself.
This makes sense as we don't want someone to go through the process of "git format-patch"(man), only to realize late that they should have used "git commit -s"(man) or equivalent.

SubmittingPatches now includes in its man page:

[[sign-off]]

Certify your work by adding your Signed-off-by trailer

To improve tracking of who did what, we ask you to certify that you wrote the patch or have the right to pass it on under the same license as ours, by "signing off" your patch. Without sign-off, we cannot accept your patches.

If (and only if) you certify the below D-C-O:

[[dco]]

.Developer's Certificate of Origin 1.1

Note that GitHub can force you (since June 2022) to add signoff to your commit messages:

Admins can require sign off on web-based commits

Organization owners and repository admins can now require developers to sign off on commits made through GitHub's web interface, such as when editing a file or merging a pull request.

Also, it is now easier for developers to complete a signoff in the web interface, resulting in fewer commits being blocked from merging and less time spent resolving blocked commits.

https://i0.wp.com/user-images.githubusercontent.com/1767415/172388117-920c9043-c616-49cf-962f-6947c049adcb.png?ssl=1

When the setting is enabled, the web interface will inform developers that their action of committing will also constitute signing off, as shown below.
Like using Git's --signoff option on the command line, signing off in the web interface will automatically append the Signed-off-by: text to the commit message.

https://i0.wp.com/user-images.githubusercontent.com/1767415/166171381-b70438c7-928a-4429-8947-610e74178eec.png?ssl=1

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 4
    Even with the git commit documentation (at last) referencing the document the -s flag is intending to indicate knowledge and agreement/assent/??? to, I believe the SOB is legally very weak. SOB was, I think at least, invented by Linus to solve a social problem in that others were advocating for high-overhead bureaucracy. Linus didn't want anything, but came up with that to shut them up. As far as I can tell, lawyers would not advise you to invest much, if any, faith in it. (I am 'paulj' on LWN). – paulj Dec 05 '16 at 01:56
  • 8
    VonC, you’re a real Git curator. You always have such well-structured, informative, and nicely cross-referenced answers on questions like this — tracing the history of Git development to eventual user-facing tools and documentation. So thank you for that. – Guildenstern Dec 15 '16 at 10:53
27

There are some nice answers on this question. I’ll try to add a more broad answer, namely about what these kinds of lines/headers/trailers are about in current practice. Not so much about the sign-off header in particular (it’s not the only one).

Headers or trailers (↑1) like “sign-off” (↑2) is, in current practice in projects like Git and Linux, effectively structured metadata for the commit. These are all appended to the end of the commit message, after the “free form” (unstructured) part of the body of the message. These are token–value (or key–value) pairs typically delimited by a colon and a space (:␣).

Like I mentioned, “sign-off” is not the only trailer in current practice. See for example this commit, which has to do with “Dirty Cow”:

 mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
 This is an ancient bug that was actually attempted to be fixed once
 (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
 get_user_pages() race for write access") but that was then undone due to
 problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

 In the meantime, the s390 situation has long been fixed, and we can now
 fix it by checking the pte_dirty() bit properly (and do it better).  The
 s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
 software dirty bits") which made it into v3.9.  Earlier kernels will
 have to look at the page state itself.

 Also, the VM has become more scalable, and what used a purely
 theoretical race back then has become easier to trigger.

 To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
 we already did a COW" rather than play racy games with FOLL_WRITE that
 is very fundamental, and then use the pte dirty flag to validate that
 the FOLL_COW flag is still valid.

 Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
 Acked-by: Hugh Dickins <hughd@google.com>
 Reviewed-by: Michal Hocko <mhocko@suse.com>
 Cc: Andy Lutomirski <luto@kernel.org>
 Cc: Kees Cook <keescook@chromium.org>
 Cc: Oleg Nesterov <oleg@redhat.com>
 Cc: Willy Tarreau <w@1wt.eu>
 Cc: Nick Piggin <npiggin@gmail.com>
 Cc: Greg Thelen <gthelen@google.com>
 Cc: stable@vger.kernel.org
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

In addition to the “sign-off” trailer in the above, there is:

  • “Cc” (was notified about the patch)
  • “Acked-by” (acknowledged by the owner of the code, “looks good to me”)
  • “Reviewed-by” (reviewed)
  • “Reported-and-tested-by” (reported and tested the issue (I assume))

Other projects, like for example Gerrit, have their own headers and associated meaning for them.

See: https://git.wiki.kernel.org/index.php/CommitMessageConventions

Moral of the story

It is my impression that, although the initial motivation for this particular metadata was some legal issues (judging by the other answers), the practice of such metadata has progressed beyond just dealing with the case of forming a chain of authorship.

[↑1]: man git-interpret-trailers
[↑2]: These are also sometimes called “s-o-b” (initials), it seems.

Guildenstern
  • 2,179
  • 1
  • 17
  • 39