Yes, the issue solved, by adding the Forge Committer to the All-Projects permissions and enabled it only for project owners instead of all registered users.

Also, each project has it in his project definition:

Contributor Agreements
Require Signed-off-by in commit message:

Was the issue solved? I see the patch was abandoned.

Hi Pavel,

Thanks for reporting about this issue.
There is a configuration that requires 'Signed-off-by in commit message' but it can be bypassed via 'Forge Committer' permissions.
From the documentation:

Forge Committer

Normally Gerrit requires the author and the committer identity lines in a Git commit object (or tagger line in an annotated tag) to match one of the registered email addresses of the uploading user. This permission allows users to bypass parts of that validation, which may be necessary when mirroring changes from an upstream project.

Allows the use of an unverified committer line in commit objects, or an unverified tagger line in annotated tag objects. Typically this is only required when mirroring commits from an upstream project repository.

so i think it is not a bug, we need to think if we should remove the Forge committer permissions from the global (All-Projects) configuration and set it per project
or leave it and request from the project owners to add it in the commit-msg hook (it adds the signed-off by automatically to every commit)