FINERACT-2177: Add Git signed commits verification

Author: DeathGun44

.github/workflows/verify-commits.yml

@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: Fineract Signed Commits Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+jobs:
+  verify-signatures:
+    name: Verify Commit Signatures
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Fetch base branch
+        run: git fetch origin ${{ github.base_ref }}
+
+      - name: Verify signatures
+        run: |
+          chmod +x scripts/verify-signed-commits.sh
+          ./scripts/verify-signed-commits.sh \
+            --base-ref origin/${{ github.base_ref }} \
+            --head-ref ${{ github.sha }} \
+            --strict

CONTRIBUTING.md

@@ -270,3 +270,35 @@ This project's committers typically prefer to bring your pull requests in throug
 We expect most proposed PRs to typically consist of a single commit. Committers may use _Squash and merge_ to combine your commits at merge time, and if they do so, will rewrite your commit message as they see fit.
 
 Neither of these two are hard absolute rules, but mere conventions. Multiple commits in single PRs make sense in certain cases (e.g. branch backports).
+
+### Signing Your Commits
+
+We encourage contributors to sign commits with GPG keys. Signed commits show a "Verified" badge on GitHub.
+
+To set up GPG signing:
+
+1. Install GPG:
+   - **Mac**: `brew install gnupg`
+   - **Linux (Debian/Ubuntu)**: `sudo apt-get install gnupg`
+   - **Windows**: Download and install [Gpg4win](https://www.gpg4win.org/)
+2. Generate a key: `gpg --full-generate-key`
+   - Select `(1) RSA and RSA`
+   - Key size: `4096`
+   - Expiration: `0` (no expiration)
+   - Enter your name and GitHub email
+3. Find your key ID (the string after `rsa4096/` on the `sec` line):
+   ```bash
+   gpg --list-secret-keys --keyid-format=long
+   ```
+4. Configure Git:
+   ```bash
+   git config --global user.signingkey YOUR_KEY_ID
+   git config --global commit.gpgsign true
+   ```
+5. Add your public key to GitHub:
+   ```bash
+   gpg --armor --export YOUR_KEY_ID
+   ```
+   Copy the entire output (including `-----BEGIN PGP PUBLIC KEY BLOCK-----` and `-----END PGP PUBLIC KEY BLOCK-----`) and add it at: GitHub → Settings → SSH and GPG keys → New GPG key
+
+To verify locally before pushing: `./scripts/verify-signed-commits.sh`

scripts/verify-signed-commits.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Usage: ./scripts/verify-signed-commits.sh [--base-ref <ref>] [--head-ref <ref>] [--strict] [--help]
+set -e
+
+BASE_REF="origin/develop"
+HEAD_REF="HEAD"
+STRICT_MODE=false
+
+show_help() {
+    cat << 'EOF'
+Usage: ./scripts/verify-signed-commits.sh [OPTIONS]
+
+Options:
+  --base-ref <ref>   Base reference (default: origin/develop)
+  --head-ref <ref>   Head reference (default: HEAD)
+  --strict           Exit with error if unsigned commits found
+  --help             Show this help
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --base-ref) BASE_REF="$2"; shift 2 ;;
+        --head-ref) HEAD_REF="$2"; shift 2 ;;
+        --strict) STRICT_MODE=true; shift ;;
+        --help) show_help; exit 0 ;;
+        *) echo "Unknown option: $1"; show_help; exit 1 ;;
+    esac
+done
+
+MERGE_BASE=$(git merge-base "$BASE_REF" "$HEAD_REF" 2>/dev/null || echo "")
+if [ -z "$MERGE_BASE" ]; then
+    COMMIT_RANGE="$HEAD_REF~10..$HEAD_REF"
+else
+    COMMIT_RANGE="$MERGE_BASE..$HEAD_REF"
+fi
+
+echo "Verifying commit signatures in range: $COMMIT_RANGE"
+
+COMMITS=$(git log --format="%H%x1f%G?%x1f%an%x1f%s" "$COMMIT_RANGE" 2>/dev/null || echo "")
+if [ -z "$COMMITS" ]; then
+    echo "No commits to verify."
+    exit 0
+fi
+
+UNSIGNED_COUNT=0
+
+while IFS=$'\x1f' read -r HASH SIG_STATUS AUTHOR SUBJECT; do
+    [ -z "$HASH" ] && continue
+    SHORT_HASH="${HASH:0:7}"
+
+    case "$SIG_STATUS" in
+        N)
+            UNSIGNED_COUNT=$((UNSIGNED_COUNT + 1))
+            if [ -n "$GITHUB_ACTIONS" ]; then
+                echo "::error title=Unsigned Commit::Commit $SHORT_HASH by $AUTHOR is not signed."
+            else
+                echo "❌ Unsigned: $SHORT_HASH - $SUBJECT ($AUTHOR)"
+            fi
+            ;;
+        *)
+            echo "✅ Signed: $SHORT_HASH - $SUBJECT"
+            ;;
+    esac
+done <<< "$COMMITS"
+
+echo ""
+echo "Summary: $UNSIGNED_COUNT unsigned commit(s) found."
+
+if [ "$STRICT_MODE" = true ] && [ "$UNSIGNED_COUNT" -gt 0 ]; then
+    if [ -n "$GITHUB_ACTIONS" ]; then
+        echo "::error::$UNSIGNED_COUNT unsigned commit(s). See CONTRIBUTING.md#signing-your-commits"
+    else
+        echo "❌ $UNSIGNED_COUNT unsigned commit(s). See CONTRIBUTING.md#signing-your-commits"
+    fi
+    exit 1
+fi
+
+exit 0