I can kind of understand "organisation members get a special privilege (not having to sign-off), but to get it, they must prove they're organisation members (with GPG)", but:

If a non-organisation member submits a PR containing commits that falsely claim to be authored by an organisation member:

• the PR submitter/commit author mismatch will already stand out at code review, regardless of the DCO check
• reviewers can trivially verify the authenticity by just asking the org-member alleged author about it over another channel
• the submitter could have trivially succeeded at the DCO check anyway, by making the same fraudulent claim in a Signed-off-by: line? (I'm not certain, I haven't poked this hard.)

On the other hand, if a non-organisation member submits a PR and isn't trying to frame an organisation member specifically, then we have no way to confirm whether or not they're actually trying to frame someone else instead. The whole thing is already premised on a trust that the author is who the submitter says they are, which is fine actually; but it seems like if a GPG signature should be required anywhere, it's the "we have no idea who you are" case, not the "is an organisation member" case.

I guess if the whole project is already requiring GPG-signed commits, then the issue becomes academic. But if the project isn't already requiring GPG-signed commits, it feels backwards to suddenly require it here.

+1

I think this should be configurable. I'd love to use this check, but organization membership (because it's governed by external contracts) will be enough to satisfy any legal issues (for my use-case). Ideally then, organization members shouldn't need to jump through extra hoops.

Having an enumeration instead of a boolean would allow people to configure it easily:

members_must_sign_off: "gpg" | "trailer" | "no"