docs: require signed commits

docs/contributing/contributing-code/contributing-code-first-commit/first-commit-06-creating-a-pr/index.md

@@ -46,6 +46,31 @@ Radius leverages the [Developer Certificate of Origin](https://github.com/apps/d
 
 Visual Studio Code has a setting, `git.alwaysSignOff` to automatically add a Signed-off-by line to commit messages. Search for "sign-off" in VS Code settings to find it and enable it.
 
+## Signing your commits
+
+> 💡 Commit signing is **separate from** the DCO `Signed-off-by` line described above. The `Signed-off-by` line is a textual attestation, while commit signing proves that the commit was signed with the private key corresponding to your configured public key. Both are recommended.
+
+We require all contributors to **cryptographically sign their commits** so that they show as **Verified** on GitHub. On GitHub, **Verified** means GitHub could validate the signature and that the signing key is associated with the account. This gives reviewers and the community additional confidence in the integrity and provenance of commits, which is an important supply-chain safeguard.
+
+GitHub supports three types of commit signatures: GPG, SSH, and S/MIME. Pick whichever is easiest for you — SSH signing is usually the simplest if you already use an SSH key with GitHub.
+
+Follow the official GitHub documentation to set this up:
+
+- [About commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+- [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key)
+- [Signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
+- [Displaying verification statuses for all of your commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits)
+
+Once configured, you can have Git sign every commit automatically by setting:
+
+```sh
+git config --global commit.gpgsign true
+```
+
+(Use the same setting for SSH or S/MIME signing — Git will use whichever signing format you have configured.)
+
+After pushing, your commits should display a **Verified** badge next to them on GitHub.
+
 ## Creating the pull request
 
 Please ensure you are contributing from a fork of the repository. If you have not set this up, please refer to the [forking guide](../../contributing-code-forks/index.md).

docs/contributing/contributing-pull-requests/README.md

@@ -68,6 +68,10 @@ Fixes: #<issue>
 
 We **squash** pull-requests as part of the merge process, which means that intermediate commits will have their messages appended. We prefer to have a single commit in the git history for each PR.
 
+## Signing your commits
+
+See [Signing your commits](../contributing-code/contributing-code-first-commit/first-commit-06-creating-a-pr/index.md#signing-your-commits) in the first commit guide.
+
 ## Automated tests
 
 Our GitHub Actions workflows will run against your pull request to validate the changes. This will run the unit tests, integration tests, and functional tests.