[research] Producing GPG-signed commits

[webknjaz]

This is not of an immediate urgency but it'd be cool for the cherry-picked commits to be PGP-signed and show up as Verified on GitHub.
There's two known problems with this at the moment, though:

• GitHub docs don't document the signing considerations for GitHub Apps clearly enough: https://github.xiaomo-station.topmunity/t/how-to-properly-gpg-sign-github-app-bot-created-commits/131364?u=webknjaz
• pygit2 that we rely on currently does not expose any APIs for applying signatures to commits. It'd require some effort to get them exposed from libgit2 library that it wraps: GPG-signed commits libgit2/pygit2#647 (comment)

[webknjaz]

Third-party research on how to create signed commits: https://github.com/josecelano/pygithub/blob/f04df405e46a865d80ba3b5729c9b61312320121/docs/how_to_sign_automatic_commits_in_github_actions.md.

[webknjaz]

Here's some ideas on regarding commit signatures to take into account: https://github.com/orgs/community/discussions/50055#discussioncomment-13460641