Document how to meet the git commit signing requirement in contributing guide

[FeynmanZhou]

Hi maintainers @notaryproject/notaryproject-governance-maintainers,

Notation repositories require all contributors to sign their git commits with a private GPG key (https://docs.github.com/articles/about-gpg/). I see this policy blocked many new contributors in the past few months. See this PR as an example.

This policy requirement is captured in the contributing guide, but I find that sometimes it might be ignored or skipped by new contributors. Enforcing people to sign each git commit with a private GPG/SSH key is much more secure, but it has a high-friction process for new contributors. Maybe we need to find a balance between security and contributor experience.

I am thinking of relaxing this policy for just non-code repositories (notaryproject.dev, notaryproject, .github, meeting-notes) as there might be a lot of new contributors who may make minor changes to the docs. Docs repo will not be released like code repos and they also have CLA signing requirements. Shall we relax this policy, at least for the non-code repositories?

If you agree with this suggestion or have different options, please comment on this issue below. Thanks.

[shizhMSFT]

We can keep the requirement for singing commit as it is a part of the SLSA.

Instead of the complex GPG settings, we can direct contributors to use SSH keys as signing keys as it is dramatically simpler.

[FeynmanZhou]

We can keep the requirement for singing commit as it is a part of the SLSA.

Instead of the complex GPG settings, we can direct contributors to use SSH keys as signing keys as it is dramatically simpler.

It's acceptable but let's document it in the contributor guide. We can improve the contributor experience by elaborating on the git commit signing configuration in the contributing guideline.

@yizha1 Could you add the instructions for git signing with SSH Key in your PR #25 ?

[yizha1]

OK. I will take this issue and update my PR #25 based on the following comment.

We can keep the requirement for singing commit as it is a part of the SLSA.
Instead of the complex GPG settings, we can direct contributors to use SSH keys as signing keys as it is dramatically simpler.

It's acceptable but let's document it in the contributor guide. We can improve the contributor experience by elaborating on the git commit signing configuration in the contributing guideline.

@yizha1 Could you add the instructions for git signing with SSH Key in your PR #25 ?

[yizha1]

This issue is for updating governance related documents. Clear milestone to avoid mixing with Notation releases.