A Complete Guide to DCO for Open Source Developers

• 4 minutes to read

When you contribute code to an open-source project, such as WasmEdge, you are often asked to sign a DCO (Developer Certificate of Origin) to ensure that the project has the proper rights to use your code. However, signing the DCO could be confusing and error prone. It is a barrier for many potential open source contributors. In this article, I will teach you exactly how to sign a DCO for open source projects hosted on GitHub.

Some projects require contributors to sign a CLA (Contributor License Agreement). The CLA is a legal document that takes much more effort than a DCO to complete. However, the CLA only needs to be signed once per developer per project. The DCO must be signed in every commit.

DCO via the command line

The most popular way to do DCO is to sign off your username and email address in the git command line.

First, configure your local git install.

$ git config --global user.name "John Doe" 
$ git config --global user.email johndoe@example.com

Obviously, you should use your own name and the email address associated with your GitHub user account.

Now, every time you commit new code in git, just add a signoff statement via the -s flag.

$ git commit -s -m "This is my commit message"

That’s it. Git adds your sign-off message in the commit message, and you contribution (commit) is now DCO compliant.

DCO via the GitHub web site

For small code changes, the GitHub web editor is a very popular tool to edit and commit changes directly from your web browser.

Before you commit changes in the browser web form, just make sure you add Signed-off-by: username <email address> in the last line of your commit message.

Check your GitHub email setting to see if the “Keep my email address private” toggle is turned on. If it is on, the email address in your commit message should be the anonymous public email address that GitHub created for you. The email address DCO expects is your public email.

Chrome extension “DCO GitHub UI” could automatically add the correct signed-off message in every commit you make from the github web site. Download and install the chrome extension here.

How to fix a failing DCO check

Developers could forget to include DCO sign-off messages in their commits. When that happens, the Pull Request (PR) could fail the automated DCO check, and be blocked from merging. What do you do now?

The easiest way is to update your DCO via the command line.

If you encounter a failing DCO check, go to your PR page and click on DCO details. Then, just follow the instructions to fix DCOs in the commits in this PR.

When you push again, the DCO check will pass.

The second way is to fix the failing DCO check using GitHub Desktop.

Unfortunately, this approach is complex because GitHub Desktop will change your branch name🤣. See this issue on GitHub Desktop for more information.

First, in the list of the project pull requests (PR), click on the PR you'd like to modify. Then, open the PR in Desktop here.

Second, choose to Open the repository in your external editor. For example, I chose VS Code here.

Third, Open a new terminal in VS Code and run the first suggested command on your command line.

git commit —amend —no-edit ---signoff

You will get the following message.

Use git log to verify that the signed-off message is added.

Next, let’s push the change back to the original repo. You can’t run the second command that DCO suggested directly. Find out the current branch name first with git remote show and git branch.

Now you get the exact branch where you are making changes. The next is to push to GitHub.

Go back to the PR you want to fix, and you would see the DCO check has passed.

That's all you need to know about the DCO. Happy coding!


This article is written by the WasmEdge project, a CNCF sandbox project. The WasmEdge Runtime is a lightweight and high-performance WebAssembly (WASM) VM optimized for edge computing. According to a research paper published on IEEE Software, with advanced AOT compiler support, WasmEdge is the fastest runtime on the market today.

The WebAssembly ecosystem is still in its early days. Nevertheless, we are looking forward to the Wasm community join us in the WebAssembly revolution!

👉 Slack Channel: #wasmedge on CNCF slack channel

👉 Mailing list: Send an email to WasmEdge@googlegroups.com

👉 Be a contributor: checkout our wish list to start contributing!

DCOWasmEdgegetting-started
A high-performance, extensible, and hardware optimized WebAssembly Virtual Machine for automotive, cloud, AI, and blockchain applications