diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2dde838..35c64d1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,25 +19,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: "env"
-        run: env | sort
       - name: "Developer's Certificate of Origin"
         run: |
-          echo
-          echo 'Commits to check:'
-          git log --no-merges --pretty='%H%x09%s%x09%ce%x09-%(trailers:key=Signed-off-by,valueonly,separator=%x00)' origin/master.. |
-             tee /tmp/commits |
-             cut -f1,2
-          echo ''
-          if grep -e '-$' /tmp/commits | cut -f1,2 | grep -e '^' > /tmp/bad-commits; then
-             echo 'Сommits that fail verification:'
-             cat /tmp/bad-commits
-             echo ''
-             echo 'The DCO Signoff Check for all commits has FAILED.'
-             echo 'See https://github.com/legionus/kbd/blob/master/docs/process/howto-contribute.md#patches='
-             echo ''
-             exit 1
-          fi
+          [ "${{ github.event_name }}" = "push" ] &&
+             from="refs/remotes/origin/${{ github.event.repository.default_branch }}" ||
+             from="${{ github.event.pull_request.base.sha }}"
+          tests/ci/check-dco.sh "$from..HEAD"
 
   distcheck_job:
     name: "Distcheck"
diff --git a/tests/ci/check-dco.sh b/tests/ci/check-dco.sh
new file mode 100755
index 0000000..4732824
--- /dev/null
+++ b/tests/ci/check-dco.sh
@@ -0,0 +1,62 @@
+#!/bin/sh -efu
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+rev_list="$1"
+shift
+
+cat >/tmp/forbidden.patterns <<'EOF'
+@users.noreply.github.com
+EOF
+
+git log --max-parents=1 \
+	--pretty='%H%x09%s%x09%ce%x09-%(trailers:key=Signed-off-by,valueonly,separator=%x07)' \
+	"$rev_list" > /tmp/commits
+
+if [ ! -s /tmp/commits ]; then
+	echo '::notice:: DCO: No commits were found for verification.'
+	exit 0
+fi
+
+retcode=0
+n_commits=$(wc -l < /tmp/commits)
+
+echo 'Commits to check:'
+echo ''
+cut -f1,2 /tmp/commits | nl
+echo ''
+
+if grep -e '-$' /tmp/commits | cut -f1,2 | grep -e '^' > /tmp/bad-commits; then
+	echo 'Commits that do not have the `Signed-off-by` tag:'
+	echo ''
+	cat /tmp/bad-commits
+	echo ''
+	retcode=1
+fi
+
+cut -f1,4 /tmp/commits |
+while read -r sha signed_off_by; do
+	tr -s '[:cntrl:]' '\n' <<-EOF | grep -E -f /tmp/forbidden.patterns > /tmp/bad-address || continue
+	${signed_off_by#-}
+	EOF
+	echo -n "${newline-}"
+	echo "* commit $sha"
+	nl -s ': Signed-off-by: ' /tmp/bad-address
+	newline='
+'
+done > /tmp/bad-commits
+
+if [ -s /tmp/bad-commits ]; then
+	echo 'Commits has invalid values in `Signed-off-by`:'
+	echo ''
+	cat /tmp/bad-commits
+	echo ''
+	retcode=1
+fi
+
+[ "$retcode" -eq 0 ] &&
+	{ level='notice'; status=PASSED; } ||
+	{ level='error';  status=FAILED; }
+
+echo "::$level:: The DCO verification of $n_commits commit(s) $status."
+echo ''
+exit $retcode