linuxfoundation/lfx-git-setup
lfx-git-setup/SKILL.md
Interactive setup guide for LFX contributors to configure Git for DCO signoff and GPG-signed commits. Use this skill whenever someone asks about setting up Git signing, DCO signoff, GPG keys for commits, configuring `~/.gitconfig` for signing, adding a GPG key to GitHub, or any variation of “how do I sign my commits?”. Also trigger it when a user says their commits aren’t showing as “Verified” on GitHub, when they’re onboarding to an LFX project and need to meet contribution requirements, or when they ask about `git commit -s`, `--signoff`, `Signed-off-by`, or `commit.gpgSign`. This skill works for technical and non-technical users alike.
$ install --global
skillsauthnpx skillsauth add linuxfoundation/lfx-skills lfx-git-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 1:08 PM12.2s1 file scanned
SKILL.md
- name:
- lfx-git-setup
- description:
- >
- allowed-tools:
- Bash, Read, Glob, Grep, AskUserQuestion, WebFetch
<!-- Copyright The Linux Foundation and each contributor to LFX. -->
<!-- SPDX-License-Identifier: MIT -->
LFX git Setup: DCO Signoff & GPG Signed Commits
This skill walks contributors through two essential git contribution requirements used across linux foundation projects:
- DCO signoff (
--signoff/-s) — adds aSigned-off-by: your name <email>line to every commit, certifying you wrote the code and have the right to contribute it under the project's license. This is a legal agreement, not just a formality. - GPG signed commits (
-S) — cryptographically signs each commit with your personal GPG key so GitHub can display a green "verified" badge, proving the commit genuinely came from you.
Your First Step: Detect the User's Platform
Before doing anything else, check what operating system the user is on. The steps are meaningfully different across platforms.
Ask the user (or check their context):
- macos → read
references/mac.mdfor the full walkthrough - linux (ubuntu, fedora, debian, arch, etc.) → read
references/linux.md - windows → read
references/windows.md— note this is a supported but less common setup path; wsl2 (windows subsystem for linux) users should follow linux steps
If it's unclear which platform they're on, just ask: "what operating system are you using — mac, linux, or windows?"
Overall Workflow (all platforms)
The end goal is a ~/.gitconfig that looks roughly like this:
[user]
name = your full name
email = [email protected]
signingkey = abc123def456 # your gpg key id
[commit]
gpgSign = true # auto-sign every commit with -S (GPG signing)
[tag]
gpgSign = true # auto-sign tags too
and a GPG key that:
- was generated with the same email address as your github account
- has its public key uploaded to GitHub (settings → ssh and gpg keys)
The DCO signoff (-s) is handled separately — see the DCO signoff section below.
The Four Phases
- phase 1 — Prerequisites: install gpg tools and verify git version.
- phase 2 — Generate GPG key: create your personal signing key.
- phase 3 — Configure git: wire the key into
~/.gitconfig. - phase 4 — Register with GitHub: upload your public key so github can verify.
Each platform reference file covers all four phases with exact commands.
DCO signoff
The DCO (--signoff or -s) flag is separate from gpg signing. it adds this line to your commit message:
Signed-off-by: your name <[email protected]>
Option A: Always Sign Off Manually (simplest)
git commit -s -S -m "your commit message"
Both flags together: -s for the DCO signoff, -S for GPG signature.
Option B: git alias (recommended for convenience)
Add a c shortcut (or something you will remember) to ~/.gitconfig so git c -m "..." does both automatically:
An example would be:
git config --global alias.c 'commit -s -S'
Then use: git c -m "your commit message"
Option C: Global Commit Hook (fully automatic)
This approach automatically appends Signed-off-by to every commit message,
even in GUI tools:
# create global hooks directory
mkdir -p ~/.git-hooks
# create the hook script
cat > ~/.git-hooks/prepare-commit-msg << 'eof'
#!/bin/sh
# Auto-add DCO Signed-off-by line
sob=$(git var git_author_ident | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
grep -Fqs "^$sob" "$1" || echo "$sob" >> "$1"
eof
# Make the git hook executable
chmod +x ~/.git-hooks/prepare-commit-msg
# Tell git to use this global hooks directory
git config --global core.hookspath ~/.git-hooks
⚠️ Note: the global hook applies to ALL repositories on your machine. If you work on non-lfx projects, you may prefer option A or B instead.
Verifying Everything Works
Once setup is complete, do a test commit:
# in any git repository
git commit -s -S --allow-empty -m "test: verify DCO and gpg signing setup"
git log --show-signature -1
You should see:
gpg: good signature from "your name <email>"in the output- a
Signed-off-by:line in the commit message
On GitHub, after pushing, the commit will show a green verified badge.
Troubleshooting Quick Reference
| problem | likely cause | fix |
| ------------------------------------------ | ------------------------------- | ------------------------------------------------- |
| error: gpg failed to sign the data | gpg agent issue | run export GPG_TTY=$(tty) and retry |
| no verified badge on github | key not uploaded or wrong email | check key email matches github verified email |
| secret key not available | key id mismatch | re-run git config --global user.signingkey <id> |
| DCO check failing in ci | missing signed-off-by | amend last commit: git commit --amend -s |
| gpg prompts not appearing | missing pinentry | see platform reference file for pinentry setup |
| gpg: signing failed: inappropriate ioctl | tty not set | add export GPG_TTY=$(tty) to your shell profile |
Platform Reference Files
- macos:
references/mac.md - linux:
references/linux.md - windows / wsl2:
references/windows.md
Read the appropriate file based on the user's OS before walking them through setup.
Communication Style
This skill serves both technical and non-technical users. Adjust your tone:
- If the user is clearly a developer (mentions terminal, dotfiles, brew, apt, etc.), go straight to commands with brief explanations.
- If the user seems newer to the command line, explain what each command does before showing it, and reassure them that these are one-time setup steps.
- Never assume the user knows what GPG, DCO, or
~/.gitconfigare — briefly define each on first mention. - After each phase, confirm it worked before moving on. ask: "Did that complete without errors?" before proceeding.
Related Skills
linuxfoundation/lfx
development
VerifiedTrustedCommunity
LFX cross-repo topology and ownership router. Use when the task spans more than one LFX repo, asks "which repo owns X", "where does Y live", "what repos does this touch", "what consumes Z", or needs a peer-repo file path from inside a single repo. Loads per-repo configs when invoked from the LFX workspace root with a full task prompt; gives targeted cross-repo guidance when invoked from inside a single repo. Also answers LFX glossary and topology questions, and performs read-only discovery when the user asks whether a contract, API, event, field, workflow, or repo capability exists. Do not fire for single-repo implementation tasks where the active repo's own CLAUDE.md already governs (those belong to the repo's local skills). Do not fire for V2 platform composition, service classes, or cross-service handoffs (use `/lfx-skills:lfx-platform-architecture`), ITX wrapper plumbing (`/lfx-skills:lfx-itx-integration`), or Intercom app/Fin workflows (`/lfx-skills:lfx-intercom`).
8SKILL.mdUpdated Jun 11, 2026
linuxfoundation/lfx-v2-ticket-writer
tools
VerifiedTrustedCommunity
Create a new ticket in the LFXV2 Jira project (linuxfoundation.atlassian.net). Guides the user through picking an issue type (Bug, Story, Task, Epic), writing a concise summary, and capturing the requirement, feature, or bug context, collecting reproduction steps for bugs. Optionally attaches a parent epic, labels, or priority if the user provides them. Submits the ticket via Atlassian MCP and returns the URL. Use this skill any time someone asks to "create a Jira ticket", "open an LFXV2 ticket", "file a bug", "log a story", "write up a feature request", "draft a ticket", or any variation of submitting work into LFXV2.
8SKILL.mdUpdated Jun 11, 2026
linuxfoundation/lfx-test-journey
testing
VerifiedTrustedCommunity
Combine multiple feature branches across repos into worktrees for end-to-end journey testing. Create, refresh, and teardown integration environments that merge branches from multiple repos.
8SKILL.mdUpdated Jun 11, 2026
linuxfoundation/lfx-snowflake-access
devops
VerifiedTrustedCommunity
Guide users through requesting Snowflake access at the Linux Foundation. Handles two request types: (1) individual user access, adding or modifying an entry in users.tf in the lfx-snowflake-terraform repo, and (2) service account creation, adding an entry in service_accounts.tf. For each, the skill collects the necessary details, generates the exact Terraform HCL block to add, explains where to place it, and guides the user through the PR process. Use this skill any time someone asks about Snowflake access, permissions, user provisioning, service accounts, or making changes to the lfx-snowflake-terraform repo, including phrases like "get access to Snowflake", "add me to Snowflake", "need a service account", "request Snowflake permissions", "I need to query Snowflake", or "how do I get Snowflake access".
8SKILL.mdUpdated Jun 11, 2026